Allowing Authenticated Relay only from certain IP addresses

R

roarkh

Verified User
Joined
Aug 30, 2005
Messages
139
Location
Bellingham, WA
Hello,

I would like to temporarily allow Exim to only accept authenticated SMTP connections from a specific list of IP addresses. I am not an Exim expert so wanted to post my proposed solution here for feedback before modifying my config file.

In exim.conf under Edit #14 is this line...

Code: 
hostlist auth_relay_hosts = *

Can I simply change that to something like...

Code: 
hostlist auth_relay_hosts = /etc/virtual/whitelist_auth_relay_hosts_ip

and then simply create the file /etc/virtual/whitelist_auth_relay_hosts_ip, change it's ownership to mail and populate it with the IP addresses I want to accept authenticated connections from?

Is it really just that easy? Or am I missing something?

Thanks for any input anyone can provide.
 
Thanks Alex,

One question, here are some more of the entries I found in EDIT#14 in our current exim.conf (in case it helps here is the version: SpamBlockerTechnology* powered exim.conf, Version 4.2.3 released 7/9/2014.)...

Code: 
hostlist auth_relay_hosts = *
hostlist bad_sender_hosts = lsearch;/etc/virtual/bad_sender_hosts
hostlist bad_sender_hosts_ip = /etc/virtual/bad_sender_hosts_ip
hostlist whitelist_hosts = lsearch;/etc/virtual/whitelist_hosts
hostlist whitelist_hosts_ip = /etc/virtual/whitelist_hosts_ip

The reason I went without the "lsearch;" bit is that in my current file the ip lists do not have it, look above at "hostlist bad_sender_hosts_ip" and "hostlist whitelist_hosts_ip". They seem to indicate that when choosing a list of IP's that the "lsearch;" might not be necessary.

I have a number of IPs in bad_sender_hosts_ip that are being blocked so at least for that list it appears the "lsearch;" piece is not needed.
 
I thought I'd found the answer here (exim.org) but this confuses me even more than I was before I read it.

My recollection is that I took out the lsearch modifier to enable epansion of slash notation, for example, to allow use of 1.2.3.0/25.

Testing may be in order.

Jeff
 
You must log in or register to reply here.
Back
Top