subject:"\[exim\] Restricting SMTP access"

Re: [exim] Restricting SMTP access

2006-02-17 Thread Phil Pennock

On 2006-02-15 at 11:49 -, Edward Kay wrote:
 I want to stop any hosts that I don't explicitly allow from accessing my
 SMTP server.

Move the problem out of the Exim configuration logic to keep things
simple.  If there is no legitimate reason for any server to directly
contact your host (and you've put in MX records for your _host_ which
point to the real servers, too, to ensure this) then simply don't accept
a connection from unauthorised hosts.

Either

(1) Rebuild Exim against libwrap from the TCP Wrappers project.  Search
for USE_TCP_WRAPPERS in the default src/EDITME / Local/Makefile
config.

Or

(2) Use packet-filtering rules, which you're likely to have a config
panel for already (I don't know CPanel, sorry).

Or use both.

I recommend using the packet filter to make the port appear closed.
That way potentially malicious packets won't even reach the server code.
-- 
I am keeping international relations on a peaceable footing.
You are biding your time before acting.
He is coddling tyrants.
 -- Roger BW on topic of verb conjugation

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

[exim] Restricting SMTP access

2006-02-15 Thread Edward Kay

AIM:

I want to stop any hosts that I don't explicitly allow from accessing my
SMTP server.

BACKGROUND:
---
The MX records for my domains point to an external screening/filtering
service. This then relays the mail to my Exim server that contains the
mailboxes. I also receive local mail on the server from cron jobs and web
applications.

The server also acts as our SMTP server, allowing connection from any host
but only for authenticated users.

At the moment, spammers are connecting directly to the Exim server, setting
both the sender and recipient addresses to be on local domains and these
mails are then delivered to the local mailboxes.

As all external mail received should be routed through the servers specified
in the MX records, I want to prevent anyone except our authenticated users
and the external screening server from being able to send mail using our
SMTP server.

CURRENT SETUP:
--
The server uses CPanel/WHM and has the default CPanel exim.conf
(http://www.cpanelplanet.com/showthread.php?p=59). The only change I have
made to this default config is to add an extra lsearch;/path/to/file to the
relay_hosts hostlist - this file contains the IP addresses used by our
external screening service so as to allow them to relay mail to us.

MY ATTEMPTS TO ACHIEVE THIS SETUP:
--
1. I considered adding deny hosts = !+relay_hosts at the top of the
check_recipient ACL (after accept  hosts = : and require verify = sender).
From what I can see however, this would prevent our authenticated users on
unknown hosts from using the SMTP server because it would come before:

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
  accept  hosts = +relay_hosts

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}


2. I also considered creating an acl_smtp_connect ACL. I expect this would
have the same problem as the above in that authenticated users on unknown
hosts would be rejected before being their access credentials were checked.
I also found a mail in the archives
(http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20040913/msg00088.
html) suggesting this may be a bad idea as connection refusal could anger
spammers, triggering attacks.

CAN YOU HELP?:
--
I'd be very grateful for any advice on how to best achieve this.

Thanks for your time in reading this (lengthy) mail.

Regards,
Edward


-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] Restricting SMTP access

2006-02-15 Thread Tim Jackson


Edward Kay wrote:


I want to stop any hosts that I don't explicitly allow from accessing my
SMTP server.


[...]
1. I considered adding deny hosts = !+relay_hosts 


This is good.


at the top of the
check_recipient ACL (after accept  hosts = : and require verify = sender).
From what I can see however, this would prevent our authenticated users on
unknown hosts from using the SMTP server because it would come before:

[pop-before-SMTP ACL rules]

Fair enough. Can't you put the deny hosts = !+relay_hosts after these 
checks?


A more radical solution which may be overkill for your situation but is 
good in the general case is to use something like Tony Finch's fantastic 
 personalities idea:


http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-eximconf/paper.html#3.%20Multiple%20personalities

Here, you have different ACLs for different mailserver personalities. 
Personalities can be things like:


- inbound SMTP mailhub (MX)
- submission from end users (MUAs)
- smarthost services for other servers
- delivery personality (for actually delivering to end mailboxes)

in your case you would probably want the first two, the first for 
deliveries from your scanning servers and the second for end users. You 
differentiate between the personalities by running Exim on multiple IP 
addresses, ports or both.


The extra bonus here is that it makes it easier and less messy to do 
specific things (like turn on submission mode) for specific 
personalities only. I've used an adapted version to great effect. 
However it will mean pretty much rewriting your config from scratch. 
Tony's examples are a great start.


Tim

--
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/

## Please use the Wiki with this list - http://www.exim.org/eximwiki/

RE: [exim] Restricting SMTP access

2006-02-15 Thread Edward Kay

 Fair enough. Can't you put the deny hosts = !+relay_hosts after these
 checks?

I'm afraid this wouldn't help as the message would have already been
accepted by accept domains = +local_domains. (The problem is spammers
connect and set both the sender and recipient addresses to be in a local
domain).

I think the solution may be to remove rules rather than add them. Currently
the ACL is:

  accept  hosts = :

  require verify = sender
  accept  domains = +local_domains
  endpass
  message = The recipient cannot be verified.  Please check all recipients
of this message to verify they are valid.
  verify = recipient

  accept  domains = +relay_domains

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
  accept  hosts = +relay_hosts

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
  endpass
  message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
  authenticated = *

  denymessage = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.


I propose removing some of the earlier checks giving:

  accept  hosts = :

  require verify = sender

  accept  hosts = +relay_hosts

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
  endpass
  message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
  authenticated = *

  denymessage = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.


This should allow the relay hosts before needing to do the POP-before-SMTP
check.

Testing this however, is proving troublesome. I've saved exim.conf with the
above and am testing with exim -bh IP-address. Despite giving an IP
address that is listed in /etc/relayhosts (and so in +relay_hosts), the
output says host in +relay_hosts? no (end of list).

Any ideas, especially with it failing under exim -bh?

 A more radical solution which may be overkill for your situation but is
 good in the general case is to use something like Tony Finch's fantastic
   personalities idea:

 http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-exi
mconf/paper.html#3.%20Multiple%20personalities

This is indeed interesting but, I feel, over the top for my setup.


--

PS: Tim, thanks for producing http://www.webcamsinnorway.com/. I used the
site extensively before my trip there in 2004!


-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Re: [exim] Restricting SMTP access

[exim] Restricting SMTP access

Re: [exim] Restricting SMTP access

RE: [exim] Restricting SMTP access

4 matches

Site Navigation

Mail list logo

Footer information