[Dovecot] Sieve/pigeonhole with Exim and Dovecot LDA

Sebastian Arcus shop at open-t.co.uk
Tue May 21 02:37:49 EEST 2013 

On 20/05/13 23:40, Gedalya wrote:
> On 05/20/2013 05:13 PM, Sebastian Arcus wrote:
>> On 20/05/13 17:12, Gedalya wrote:
>>> On 05/20/2013 12:02 PM, Sebastian Arcus wrote:
>>>> Exim doesn't seem to have any variable expansion for the "From" field
>>>
>>> If using the From header actually makes sense to you... then see
>>> $h_<header name> at
>>> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html,
>>>
>>> you probably want to restrict the usage of this as much as possible.
>>> The envelope sender must be empty for bounces and auto-replies, pretty
>>> good article here: https://github.com/Exim/exim/wiki/EximAutoReply
>>> Later I'll read through your whole message again and maybe I'll come up
>>> with something more concrete and detailed..
>>
>> Thanks for that. I've just tried using $header_from: in my exim
>> authenticator in client mode when talking to the provider's SMTP
>> server in smart relay mode (instead of $sender_address) - but for some
>> strange reason it just won't work. I've poured over the exim logs in
>> debug mode - and so far I can't make sense of what is happening. I'll
>> try some more to figure it out and get it working.
>>
>>
>
> OK, now I had some more time to look at your situation.
> We can ask, do you really need the sender? How do you use it? You're
> trying to authenticate using the sender, do you have the passwords in a
> lookup file?

Yes - they are in a lookup file.

> Perhaps this can be a good idea: set up a special authenticator with:
> client_condition = ${if match_ip{$sender_host_address}{:@[]}{1}{0}}
> so that it can only be used for locally submitted messages (this
> _should_ work, test it), and statically configure it with credentials
> that would work with your upstream SMTP server?

This is what I'm using at the moment to authenticate against the 
provider's SMTP server (upstream) in smtp smart relay mode:

fixed_plain_client:
   driver = plaintext
   public_name = PLAIN
   client_send = ^$sender_address^${lookup{$sender_address}\
     lsearch{/etc/exim/exim-client.passwd}{$value}{fail}}


> Either way, you shouldn't have an authenticator that would trust the
> From: header and do something with it, unless the situation is very
> tightly controlled. You probably want to put more restrictions there to
> make sure this works only when intended, i.e. dovecot autoreplies.

I only have internal lan clients connecting to this server - and even 
if, for any reason which I can't think at the moment - they would want 
to pass a fake "From:" header - it would be useless without passing the 
right password that goes with it.

>
> Now, as for $header_from, first of all, it's "$header_from:", with the
> colon in the end.

Yes - I've tried it with the colon.

Yea, I know.
> Secondly, I have no idea if it would be available in an authenticator.

I just tried it again, with debugging on, and I get the following:

212.227.15.163 in hosts_try_auth? yes (matched "auth.smtp.1and1.co.uk")
scanning authentication mechanisms
   SMTP>> AUTH PLAIN ************************************
tls_do_write(bfac815f, 49)
SSL_write(SSL, bfac815f, 49)
outbytes=49 error=0
waiting for data on socket
Calling SSL_read(8109288, bfac855f, 4096)
read response data: size=37
   SMTP<< 535 no password in decoded response
fixed_plain_client authenticator yielded 2
LOG: MAIN
   fixed_plain_client authenticator failed H=auth.smtp.1and1.co.uk 
[212.227.15.163] 535 no password in decoded response

I don't think header_from: is available during authentication - or 
something else is happening which is escaping me right now.


> Consider that an authenticator is not really something that is related
> to processing an individual message.
> One thing is for sure, you would need to set connection_max_messages = 1
> in the smtp transport which would be handling these messages.

That's an interesting one. I've been running several sites  for a few 
years now with exim in smart relay - without connection_max_messages = 1 
- and had no problems so far. Maybe it's because only few lan clients 
are involved - or I've been lucky so far :-)

I know
> that that helps to make $sender_address available in the authenticator,
> try your luck with $h_from: or try to pass that data in somehow, ACL
> variables or something, let me know how that goes - I'm curious, but if
> you need further help you should probably ask on the exim-users mailing
> list (and point me at the thread ;-))

I think I'll have to do that. Thanks again for all the suggestions.

More information about the dovecot mailing list