With authenticated SMTP, you can administer who can send E-Mails through your web server. With control such as this, you could set up your network so that it allows users who are not located inside to send E-Mail. You may end up with your network as sending anything from inside and authenticated from outside. This means that roaming users are in good hands. It also means you can trace the messages to the user who logged in (if they authenticated). For example, the logs may look like (the unauthenticated entry being first, and the major differences in
bold) :
2003-08-18 16:04:25 19os6v-000GxP-5X <= joe@sharktooth.org
H=sharktooth.org [207.173.156.3] P=smtp S=3654
id=99327$0bC49Hckb4Uecr@ywndp.your-world-news.com
2003-08-18 16:04:25 19os6y-000GyU-3B <= joe@sharktooth.org
H=sharktooth.org [207.173.156.3] P=asmtp A=plain:joe
S=929 id=3F414EAB.2010107@relia.net
You can accomplish this using the following entries in the Exim configuration
authenticators section (see the
Exim Documentation for more information). In short, these authenticators are required to work with most clients on authenticated SMTP. Note, Outlook Express uses the
LOGIN authenticator, while Netscape/Mozilla uses the
PLAIN authenticator. The following implementations use a database to house the passwords, encrypted by the crypt() function in Unix. You can do plain passwords, but that gets dangerous with security holes. In fact, you can turn on cryptographic functions to make this better. But, our example :
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{crypteq{$3}{${lookup mysql{SELECT password FROM users WHERE username='$2'}{$value}fail}}} \
} {yes}{no}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{crypteq{$2}{${lookup mysql{SELECT password FROM users WHERE username='$1'}{$value}fail}}} \
} {yes}{no}}"
server_set_id = $2
Notice the two differences between the authenticators. The first, is the PUBLIC NAME, which will resolve to PLAIN, and LOGIN (see above description for which is used by what software).
The second difference, is the LOGIN uses $1 for the username and $2 for the password, while PLAIN uses $2 for the username and $3 for the password. This is because the AUTH PLAIN protocol supplies the username and password on a single line, while the AUTH LOGIN supplies the username after prompts, where the remainder of the line is blank (so $1 would be blank).
Once these authenticators are configured to your needs, just add the
auth_advertise_hosts = *
This will turn on advertising for all hosts trying to send E-Mail. Now, you can configure your clients to use authentication for SMTP, and it should work fine! Congratulations!
