Re: [exim] Restricting SMTP access
On 2006-02-15 at 11:49 -, Edward Kay wrote: I want to stop any hosts that I don't explicitly allow from accessing my SMTP server. Move the problem out of the Exim configuration logic to keep things simple. If there is no legitimate reason for any server to directly contact your host (and you've put in MX records for your _host_ which point to the real servers, too, to ensure this) then simply don't accept a connection from unauthorised hosts. Either (1) Rebuild Exim against libwrap from the TCP Wrappers project. Search for USE_TCP_WRAPPERS in the default src/EDITME / Local/Makefile config. Or (2) Use packet-filtering rules, which you're likely to have a config panel for already (I don't know CPanel, sorry). Or use both. I recommend using the packet filter to make the port appear closed. That way potentially malicious packets won't even reach the server code. -- I am keeping international relations on a peaceable footing. You are biding your time before acting. He is coddling tyrants. -- Roger BW on topic of verb conjugation -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
[exim] Restricting SMTP access
AIM: I want to stop any hosts that I don't explicitly allow from accessing my SMTP server. BACKGROUND: --- The MX records for my domains point to an external screening/filtering service. This then relays the mail to my Exim server that contains the mailboxes. I also receive local mail on the server from cron jobs and web applications. The server also acts as our SMTP server, allowing connection from any host but only for authenticated users. At the moment, spammers are connecting directly to the Exim server, setting both the sender and recipient addresses to be on local domains and these mails are then delivered to the local mailboxes. As all external mail received should be routed through the servers specified in the MX records, I want to prevent anyone except our authenticated users and the external screening server from being able to send mail using our SMTP server. CURRENT SETUP: -- The server uses CPanel/WHM and has the default CPanel exim.conf (http://www.cpanelplanet.com/showthread.php?p=59). The only change I have made to this default config is to add an extra lsearch;/path/to/file to the relay_hosts hostlist - this file contains the IP addresses used by our external screening service so as to allow them to relay mail to us. MY ATTEMPTS TO ACHIEVE THIS SETUP: -- 1. I considered adding deny hosts = !+relay_hosts at the top of the check_recipient ACL (after accept hosts = : and require verify = sender). From what I can see however, this would prevent our authenticated users on unknown hosts from using the SMTP server because it would come before: warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}} hosts = +relay_hosts accept hosts = +relay_hosts warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}} condition = ${perl{checkrelayhost}{$sender_host_address}} accept condition = ${perl{checkrelayhost}{$sender_host_address}} 2. I also considered creating an acl_smtp_connect ACL. I expect this would have the same problem as the above in that authenticated users on unknown hosts would be rejected before being their access credentials were checked. I also found a mail in the archives (http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20040913/msg00088. html) suggesting this may be a bad idea as connection refusal could anger spammers, triggering attacks. CAN YOU HELP?: -- I'd be very grateful for any advice on how to best achieve this. Thanks for your time in reading this (lengthy) mail. Regards, Edward -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] Restricting SMTP access
Edward Kay wrote: I want to stop any hosts that I don't explicitly allow from accessing my SMTP server. [...] 1. I considered adding deny hosts = !+relay_hosts This is good. at the top of the check_recipient ACL (after accept hosts = : and require verify = sender). From what I can see however, this would prevent our authenticated users on unknown hosts from using the SMTP server because it would come before: [pop-before-SMTP ACL rules] Fair enough. Can't you put the deny hosts = !+relay_hosts after these checks? A more radical solution which may be overkill for your situation but is good in the general case is to use something like Tony Finch's fantastic personalities idea: http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-eximconf/paper.html#3.%20Multiple%20personalities Here, you have different ACLs for different mailserver personalities. Personalities can be things like: - inbound SMTP mailhub (MX) - submission from end users (MUAs) - smarthost services for other servers - delivery personality (for actually delivering to end mailboxes) in your case you would probably want the first two, the first for deliveries from your scanning servers and the second for end users. You differentiate between the personalities by running Exim on multiple IP addresses, ports or both. The extra bonus here is that it makes it easier and less messy to do specific things (like turn on submission mode) for specific personalities only. I've used an adapted version to great effect. However it will mean pretty much rewriting your config from scratch. Tony's examples are a great start. Tim -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
RE: [exim] Restricting SMTP access
Fair enough. Can't you put the deny hosts = !+relay_hosts after these checks? I'm afraid this wouldn't help as the message would have already been accepted by accept domains = +local_domains. (The problem is spammers connect and set both the sender and recipient addresses to be in a local domain). I think the solution may be to remove rules rather than add them. Currently the ACL is: accept hosts = : require verify = sender accept domains = +local_domains endpass message = The recipient cannot be verified. Please check all recipients of this message to verify they are valid. verify = recipient accept domains = +relay_domains warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}} hosts = +relay_hosts accept hosts = +relay_hosts warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}} condition = ${perl{checkrelayhost}{$sender_host_address}} accept condition = ${perl{checkrelayhost}{$sender_host_address}} accept hosts = +auth_relay_hosts endpass message = $sender_fullhost is currently not permitted to \ relay through this server. Perhaps you \ have not logged into the pop/imap server in the \ last 30 minutes or do not have SMTP Authentication turned on in your email client. authenticated = * denymessage = $sender_fullhost is currently not permitted to \ relay through this server. Perhaps you \ have not logged into the pop/imap server in the \ last 30 minutes or do not have SMTP Authentication turned on in your email client. I propose removing some of the earlier checks giving: accept hosts = : require verify = sender accept hosts = +relay_hosts warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}} condition = ${perl{checkrelayhost}{$sender_host_address}} accept condition = ${perl{checkrelayhost}{$sender_host_address}} accept hosts = +auth_relay_hosts endpass message = $sender_fullhost is currently not permitted to \ relay through this server. Perhaps you \ have not logged into the pop/imap server in the \ last 30 minutes or do not have SMTP Authentication turned on in your email client. authenticated = * denymessage = $sender_fullhost is currently not permitted to \ relay through this server. Perhaps you \ have not logged into the pop/imap server in the \ last 30 minutes or do not have SMTP Authentication turned on in your email client. This should allow the relay hosts before needing to do the POP-before-SMTP check. Testing this however, is proving troublesome. I've saved exim.conf with the above and am testing with exim -bh IP-address. Despite giving an IP address that is listed in /etc/relayhosts (and so in +relay_hosts), the output says host in +relay_hosts? no (end of list). Any ideas, especially with it failing under exim -bh? A more radical solution which may be overkill for your situation but is good in the general case is to use something like Tony Finch's fantastic personalities idea: http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-exi mconf/paper.html#3.%20Multiple%20personalities This is indeed interesting but, I feel, over the top for my setup. -- PS: Tim, thanks for producing http://www.webcamsinnorway.com/. I used the site extensively before my trip there in 2004! -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/