Johnnie W Adams via Exim-users wrote on 10.04.2025 20:29:
> Here's the full authenticator:
>
> begin authenticators
>
>
> login:
>
> driver = plaintext
>
> server_set_id = $auth1
>
> server_prompts = <| Username: | Password:
>
> server_advertise_condition = ${if def:tls_in_cipher }
>
> server_condition = ${if and{ \
>
> { !eq{}{$auth1} } \
>
> { ldapauth { \
>
> user=${lookup
> ldapdn{user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
> pass="password" ldaps://
> auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?(uid=${quote_ldap_dn:$auth1})}}
> \
>
> pass=${quote:$auth2} \
>
> ldaps://auth.example.com/ \
>
> } \
>
> } \
>
> } \
>
> }
try this
server_condition = \
${lookup ldapdn{\
user="CN=svc_domainjoin,OU=SVCAccounts,OU=ITS,OU=Organizations,DC=ad,DC=example,DC=com"
\
pass="password" \
ldaps://auth.example.com/OU=Service%20Accounts,DC=ad,DC=example,DC=com?dn?sub?\
uid=${quote_ldap_dn:$auth1})\
}{\
${if ldapauth { \
user=${quote_ldap:$value} \
pass=${quote:$auth2} \
ldaps://auth.example.com/\
}{true}{false}}\
}{false}}
> I'm unsure how much of the exim.conf file you'd like me to post--it's
> three-hundred-some lines. Here's the ACL which checks for authentication:
>
> acl_check_rcpt:
>
>
> accept hosts = :
>
> control = dkim_disable_verify
>
>
> deny message = Sender address $sender_address denied - contact
> IT Services for assistance
>
> senders = +deny_from_senders
>
>
> discard message = Sender address $sender_address discarded -
> contact IT Services for assistance
>
> senders = +discard_from_senders
>
>
> deny message = Unauthorized use of SMTPA by $authenticated_id -
> contact IT Services for assistance
>
> authenticated = *
>
> condition = ${lookup
> {$authenticated_id}lsearch{/etc/exim/allowed_accounts}{no}{yes} }
>
> log_message = auth_rejection not_allowed $authenticated_id
>
>
> deny message = Encrypted connection required - contact IT
> Services for assistance
>
> !encrypted = *
>
> condition = ${if ={$interface_port}{587}}
>
>
> deny message = Authentication required - contact IT Services for
> assistance
>
> !authenticated = *
>
> condition = ${if ={$interface_port}{587}}
>
>
> deny message = Restricted characters in address - contact IT
> Services for assistance
>
> domains = +local_domains
>
> local_parts = ^[.] : ^.*[@%!/|]
>
>
> deny message = Over rate limit for host $sender_host_address
>
> log_message = ratelimit_deny: sender host rate for
> $sender_host_address is $sender_rate / $sender_rate_period
>
> hosts = !+skip_all_ratelimit : !+skip_host_ratelimit
>
> ratelimit = ${eval:RATELIMIT_THRESHOLD*2} / RATELIMIT_PERIOD
> / strict
>
>
> defer message = Over rate limit for host $sender_host_address
>
> log_message = ratelimit_defer: sender host rate for
> $sender_host_address is $sender_rate / $sender_rate_period
>
> hosts = !+skip_all_ratelimit : !+skip_host_ratelimit
>
> ratelimit = RATELIMIT_THRESHOLD / RATELIMIT_PERIOD / strict
>
>
> defer message = Over rate limit for sender $sender_address
>
> log_message = ratelimit_defer: sender address rate for
> $sender_address is $sender_rate / $sender_rate_period
>
> hosts = +enforce_sender_ratelimit : !+skip_all_ratelimit
> : !+accept_from_mta_hosts
>
> senders = !+skip_sender_ratelimit
>
> ratelimit = RATELIMIT_THRESHOLD / RATELIMIT_PERIOD / strict /
> key=$sender_address
>
>
> warn add_header = X-UALR-Submitted-From: $sender_host_address
>
>
> deny message = Restricted characters in address - contact IT
> Services for assistance
>
> domains = !+local_domains
>
> local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
>
>
> accept local_parts = postmaster
>
> domains = +local_domains
>
>
> require verify = sender
>
>
> accept hosts = +accept_from_mta_hosts
>
> control = dkim_disable_verify
>
>
> accept hosts = +accept_from_mua_hosts
>
> control = submission/sender_retain
>
> control = dkim_disable_verify
>
>
> accept authenticated = *
>
> control = submission
>
> control = dkim_disable_verify
>
>
> require message = Initial HELO is required - contact IT Services for
> assistance
>
> condition = ${if def:sender_helo_name}
>
>
> require message = Relay not permitted - contact IT Services for assistance
>
> domains = +local_domains : +relay_to_domains
>
>
> require verify = recipient
>
>
> accept
>
>
> Thanks,
>
> John A
>
> On Thu, Apr 10, 2025 at 11:07 AM Jeremy Harris via Exim-users <
> exim-users@lists.exim.org> wrote:
>
>> On 2025/04/10 4:43 PM, Johnnie W Adams via Exim-users wrote:
>>> So the bind authorization is succeeding, which leaves me with the
>> question
>>> of why I can do a 'real' authentication with the account 'foo' and the
>>> password 'foo':
>>
>> So you ned to look at how that result is being used, with reference
>> to the requirements of that authenticator driver and your config.
>>
>> Which you haven't shown us.
>> --
>> Cheers,
>> Jeremy
>>
>> --
>> ## subscription configuration (requires account):
>> ##
>> https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
>> ## unsubscribe (doesn't require an account):
>> ## exim-users-unsubscr...@lists.exim.org
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>
>
--
Best wishes Viktor Ustiuhov
mailto:vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
