Delivery to Shared Folders via authenticated SMTP then LMTP
Duncan.Gibb at SiriusIT.co.uk
Tue Apr 21 10:55:44 EDT 2009
Andy Bennett wrote:
AB> I'm running a Debian etch server with the cyrus-2.2 (2.2.13-10)
AB> packages installed. I'm using exim 4.63 as my MTA.
OK. Not an untypical deployment...
AB> I have no "postuser:" setting in /etc/imapd.conf so I'm assuming
AB> that it's default and I can address shared folders with the
AB> "+xxx at domain" address.
The default postuser is the empty string, hence the need for "anyone"
ACLs you're seeing.
AB> I can insert and delete messages in shared.test via IMAP when I'm
AB> authenticaed as andyjpb at ashurst.eu.org
AB> I connected to my SMTP server, authenticated as
AB> andyjpb at ashurst.eu.org and sent a message to
AB> "+shared.test at ashurst.eu.org".
AB> The message was accepted by exim and then immediately bounced.
AB> MAIL FROM:<andyjpb at ashurst.eu.org> SIZE=2523
AB> RCPT TO:<+shared.test at ashurst.eu.org>
AB> 550-You do not have permission to post a message to this mailbox.
AB> I don't see an AUTH line tho... I'm authenticating as exim who
AB> should be able to authorise as andyjpb at ashurst.eu.org. How can I
AB> be sure that that is happening?
You should have lines in syslog (/var/log/maillog) from lmtpd of the form
cyrus/lmtp[<PID>]: login: <MTA.HOSTNAME> [<MTA.IP>] <authzid>
<SASL.MECH> User logged in
The authzid there will be the user as whom Exim authorized. But I don't
think that's the problem (see below).
AB> client_send = $authenticated_sender^exim^<PASSWORD>
AB> I think that should send the exim authenticated sender along
AB> as the authorisation and exim and <PASSWORD> along as the
It should, but not in the way you want. The SASL authzid isn't what
lmtpd evaluates ACLs against. To do what I think you want (ACLs for
delivery to shared mailboxes by users employing SMTPA), you need Exim to
pass the authenticated user from the SMTP transaction with the MUA into
the _MAIL_ line of the LMTP conversation. You want Exim to say:
MAIL FROM:<andyjpb at ashurst.eu.org> AUTH=<andyjpb at ashurst.eu.org>
To do that you probably want to add
authenticated_sender = $authenticated_id
to the definition of your lmtp relay.
You can check Cyrus is doing what you expect by using openssl s_client
or gnutls-cli to have a manual LMTP conversation with it:
<- 220 your.cyrus.box LMTP Cyrus v2.3.13-Sirius-2009:2.3.13-5 ready
-> lhlo authtest
<- 250-AUTH PLAIN LOGIN
-> auth plain base64.nonsense.or.go.back.to.cram-md5
<- 235 Authenticated!
-> mail from:<arbitrary at mail.addr> AUTH=<andyjpb at ashurst.eu.org>
<- 250 2.1.0 ok
-> rcpt to:<+shared.test at ashurst.eu.org>
<- 250 2.1.5 ok
<- 354 go ahead
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team
More information about the Info-cyrus