Set up Exim to authenticate users and then relay SMTP mail via smarthost using different auth

eximsmarthostsmtp

I am attempting to use Exim to function as an SMTP server which relays mail as a smarthost to our Mandrill service. (The point of this would be using Exim to authenticate our users for IMAP mail and auth them against our LDAP server while relying on Mandrill for delivery.)

I initially had Exim set up to smarthost and had the Mandrill settings in the .client file in the Exim folder. This worked correctly and I was able to use telnet or an MUA to send mail and it was relayed by Mandrill properly.

Then I enabled TLS and authentication and blocked non-authenticated users from using Exim. This also worked properly — TLS is operational and I can connect and authenticate. But something in this authentication has broken the smarthost relay — I suspect because Exim is passing my "local" LDAP auth credentials to Mandrill instead of the .client credentials I specified. The error in my mainlog file looks like this:

2014-04-24 06:54:53 1WchYz-0007Db-3E SMTP error from remote mail
server after RCPT TO:: host
smtp.us-east-1.mandrillapp.com [54.237.217.91]: 454 4.7.1
: Relay access denied

How can I set up Exim to authenticate incoming users, but use a different set of credentials to authenticate to the SMTP relay?

Best Answer

The two authentications are independent.

You enable Exim to authenticate on outgoing connections, with a client authenticator. You will need to configure a line in the Exim passwd.client file for each server you need to authenticate to. The man page for exim_passwd_client describes the format of the password file.

Incoming authentication is done with a server authenticator. These are likely commented out in the default configuration. The man page for exim_passwd describes the passwd file. You should consider enabling TLS on the submission port (587) for users to send messages. The following macros at the star of the file should enable incoming authentication.

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 587

To allow authenticate users to send outgoing mail you will need to accept the connections at certain points. Where your configuration has rule to handle local senders like:

accept
   hosts = +relay_from_hosts
   control = submission/sender_retain

Add a rule like: 

accept
   authenticated = *
   control = submission/sender_retain
Related Topic