zomo technology

Controlling Exim SMTP behaviour from Dovecot password data

Wednesday, 09. 3. 2014  –  Category: stash

Given this Dovecot PasswdFile with a homegrown smtp ExtraField:

$ head -1 /data/example.org/etc/passwd
foo@example.org:{MD5-CRYPT}$1$HASH-U-LIKE::::::updated=1409712878 smtp=no

Then this Exim ACL snippet forbids the user from sending mail. Dovecot will allow them to login (allowing them receive the mail asking them to change their password) and so will ancillary systems that authenticate with the same data (eg: the password changing facility):

  deny    authenticated = *
          message       = User must change password before sending any new mail. See https://example.org/notices
          set acl_c_auth_sender_address = $authenticated_id
          set acl_c_auth_sender_domain  = ${extract{-1}{@}{$acl_c_auth_sender_address}}
          set acl_c_user_passwd_entry   = ${lookup{${acl_c_auth_sender_address}}lsearch{/data/${acl_c_auth_sender_domain}/etc/passwd}}
          set acl_c_user_passwd_fields  = ${extract{-1}{:}{$acl_c_user_passwd_entry}}
          set acl_c_user_smtp_field     = ${extract{smtp}{$acl_c_user_passwd_fields}}
          condition     = ${if eq{$acl_c_user_smtp_field}{no}}

• The use of ACL variables is a bit gratuitous but allows the massive expansion to be built up piece by piece.
• We check the authenticated_id not the sender_from since we permit senders to set their own From address, but they still need to authenticate with their real account.