Discussion:
[exim] Different password for remote SMTP relay
Jacob Hansen
2015-11-26 20:04:22 UTC
Permalink
|Hi,

Currently I have my exim configuration set to send all e-mails using an
external SMTP server. All users authenticate with my exim server with a
local password and then the messages sent is relayed through a smarthost
to a remote SMTP server, which uses a different login compared to the
one used directly by the users connected to my exim server (running
cPanel). Here's the current configuration:

remote_route:
driver = manualroute
domains = !+local_domains
transport = remote_transport
route_list = * remotesmtpserver.com

remote_transport:
driver = smtp
port = 587
hosts_require_auth = <; $host_address
hosts_require_tls = <; $host_address

remote_login:
driver = plaintext
public_name = LOGIN
hide client_send = : remote_username : remote_password

This all works well and as intended.

The problem is that I want to use a different remote_username and
remote_password for a select group of users/senders. The login names
(for my exim server) are full e-mail addresses, so I have added these
e-mail addresses to a file /etc/differentlogin (i.e list of e-mail
addresses separated by a new line).

I then tried following setup in the remote_login section:

remote_login:
driver = plaintext
public_name = LOGIN
hide client_send =
${lookup{$authenticated_id}lsearch{/etc/differentlogin}{:
different_username : different_passsword}{: remote_username :
remote_password}

However this gives me the following EXIM error when attempting to send
e-mails:

== ***@address.com R=remote_route T=remote_transport defer (-48):
expansion of "${lookup{$authenticated_id}lsearch{/etc/differentlogin}{"
failed in mandrill_login authenticator: missing } at end of string

I attempted using $sender_address instead of $authenticated_id, but this
gives me the same result.

Adding another } as suggest, i.e
|
|| hide client_send =
${lookup{$authenticated_id}lsearch{/etc/differentlogin}}{:
different_username : different_passsword}{: remote_username :
remote_password}

gives me failed login (the login details are correct, but maybe an
additional } is added to the login instructions or something):

SMTP<< 435 4.7.8 Error: authentication failed:|

To check the syntax of my conditional I tried to add the following to my
remote_transport (without the additional } ):

headers_add = X-SenderTest:
${lookup{$authenticated_id}lsearch{/etc/differentlogin}{different}{normal}}

This works as expected and add the following header when sending an
e-mail from the addresses/logins noted in the list /etc/differentlogin:

X-SenderTest: different

Anyone got any tips? Is there a way I can log the username/password that
is being used to login to the remote SMTP with?

I was originally going to create two different authenticators and two
route/transport but I could find no way to have to plaintext
authenticators and define a specific one for the different
route/transport. If this is possible it may be cleaner that way.

Your help is much appreciated.

Jacob
|
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the
Mike Brudenell
2015-11-27 10:42:21 UTC
Permalink
Hi, Jacob -

*Disclaimer:* I've not used this myself, so this is hypothesis but worth a
try…
Post by Jacob Hansen
driver = plaintext
public_name = LOGIN
hide client_send =
remote_password}
However this gives me the following EXIM error when attempting to send
expansion of "${lookup{$authenticated_id}lsearch{/etc/differentlogin}{"
failed in mandrill_login authenticator: missing } at end of string
You need to add the closing "}" to match the opening "${" of the lookup,
otherwise the line is syntactically incorrect. Always check your braces
balance.
Post by Jacob Hansen
Adding another } as suggest, i.e
|
|| hide client_send =
remote_password}
gives me failed login (the login details are correct, but maybe an
SMTP<< 435 4.7.8 Error: authentication failed:|
By adding the closing "}" you've got the line syntactically correct but
it's not working as you expect.

I think you're trying to do something that the Exim Specification says you
can't… you're trying using a single lookup to generate a single
colon-separated string and then expecting Exim to split this into its
component parts.

But if you read the *Using plaintext in a client* section of the
Specification you'll see

Note: You cannot use expansion to create multiple strings, because
splitting takes priority and happens first.


The value of client-send is a number of strings in a colon-separated list,
and parsing the line/splitting it at the colons happens *before* the string
expansion. So I suspect you'll need to use a separate lookup to generate
each string in turn. For example…

hide client_send = ${lookup{$authenticated_id}lsearch{/etc/differentlogin}{:
different_username : different_passsword}{: remote_username :
remote_password}

hide client_send = : ${lookup{$authenticated_id}lse
arch{/etc/differentlogin}{different_username}} :
${lookup{$authenticated_id}lsearch{/etc/differentlogin}{different_password}}


If you might want to use different username/password pairs based on the
username matched in /etc/differentlogin you could probably do something
funky by putting the username/password pair in the file as the value of the
entry with a separator character. (Properly securing the file of course!)

In each of the two lookups above you could then split the value at the
separator character and use the first element as the username and the
second for the password.

You'd have to weigh the merits/security/safety of storing passwords in a
file though, and also be careful to choose a separator character for the
username/password pair that can never appear in either!

Cheers,
Mike B-)
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - ht
Jacob Hansen
2015-11-29 11:42:44 UTC
Permalink
That's exactly what I needed, works like a charm. Thanks a lot!

Jacob
Post by Mike Brudenell
Hi, Jacob -
*Disclaimer:* I've not used this myself, so this is hypothesis but
worth a try…
driver = plaintext
public_name = LOGIN
hide client_send =
remote_password}
However this gives me the following EXIM error when attempting to
T=remote_transport defer (-48): expansion of
"${lookup{$authenticated_id}lsearch{/etc/differentlogin}{" failed
in mandrill_login authenticator: missing } at end of string
You need to add the closing "}" to match the opening "${" of the
lookup, otherwise the line is syntactically incorrect. Always check
your braces balance.
Adding another } as suggest, i.e
|
|| hide client_send =
remote_password}
gives me failed login (the login details are correct, but maybe an
SMTP<< 435 4.7.8 Error: authentication failed:|
By adding the closing "}" you've got the line syntactically correct
but it's not working as you expect.
I think you're trying to do something that the Exim Specification says
you can't… you're trying using a single lookup to generate a single
colon-separated string and then expecting Exim to split this into its
component parts.
But if you read the /Using plaintext in a client/ section of the
Specification you'll see
Note: You cannot use expansion to create multiple strings, because
splitting takes priority and happens first.
The value of client-send is a number of strings in a colon-separated
list, and parsing the line/splitting it at the colons happens
_before_ the string expansion. So I suspect you'll need to use a
separate lookup to generate each string in turn. For example…
hide client_send =
remote_password}
${lookup{$authenticated_id}lsearch{/etc/differentlogin}{different_username}}
${lookup{$authenticated_id}lsearch{/etc/differentlogin}{different_password}}
If you might want to use different username/password pairs based on
the username matched in /etc/differentlogin you could probably do
something funky by putting the username/password pair in the file as
the value of the entry with a separator character. (Properly securing
the file of course!)
In each of the two lookups above you could then split the value at the
separator character and use the first element as the username and the
second for the password.
You'd have to weigh the merits/security/safety of storing passwords in
a file though, and also be careful to choose a separator character for
the username/password pair that can never appear in either!
Cheers,
Mike B-)
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:www.york.ac.uk/it-services <http://www.york.ac.uk/it-services>
Disclaimer:www.york.ac.uk/docs/disclaimer/email.htm
<http://www.york.ac.uk/docs/disclaimer/email.htm>
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - htt
Jeremy Harris
2015-11-27 10:44:19 UTC
Permalink
Post by Jacob Hansen
driver = plaintext
public_name = LOGIN
hide client_send =
remote_password}
However this gives me the following EXIM error when attempting to send
expansion of "${lookup{$authenticated_id}lsearch{/etc/differentlogin}{"
failed in mandrill_login authenticator: missing } at end of string
It's splitting the list (on colons) *before* expanding
each element, where you're expecting the other way around.

As the manual says:
"The string is a colon-separated list of authentication data strings.
Each string is independently expanded before being sent to the server."

You could verify that by watching the auth process and expansions
using a commandline debug option.

You'll need to do an expansion per list-element.

Also, add any comments you have to
https://bugs.exim.org/show_bug.cgi?id=1606
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the
Heiko Schlittermann
2015-11-27 18:12:54 UTC
Permalink
Hello Jacob,

Jacob Hansen <***@chosting.dk> (Do 26 Nov 2015 21:04:22 CET):
(
)
Post by Jacob Hansen
The problem is that I want to use a different remote_username and
remote_password for a select group of users/senders. The login names (for my
exim server) are full e-mail addresses, so I have added these e-mail
addresses to a file /etc/differentlogin (i.e list of e-mail addresses
separated by a new line).
Beside the notes from Jeremy

I think I've an example setup for what you want to achive.

hg clone https://ssl.schlittermann.de/hg/exim-smart-config

# The smarthosts file
# -------------------
# All relevant information about the smarthosts is stored
# in one place. This place is the "smarthosts" file. The structure
# is simple. It consists of lines as in the example:
#
# # sender |servers[::port] |user|password
# # -----------+-----------------+----+---------
# ***@bar.com foobar.com foo secret
# ***@bar.com a.com:b.com::25 foo sicrit
# *@bar.com bar.com/mx:25 fuz secret2
# * smtp.gmail.com xxx baz
#
# Note: the "servers::[port]" field is used as "route_data", thus all
# rules for route_data apply (see spec.txt, 20.3).
# - multiple servers are colon (:) separated
# - you can use indirect lists by appending /mx
# - you can specifiy a port number numerically (per default we use 587)

Best regards from Dresden/Germany
Viele GrÌße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Loading...