Re: [exim] Blocking non-authenticated senders

Tue, 20 Feb 2007 06:41:07 -0800 

am 20.02.2007 14:22 schrieb Matthias Waffenschmidt:
> On Mon, Feb 19, 2007 at 06:10:33PM +0100, Peter Velan wrote:
>> am 19.02.2007 16:45 schrieb David Woodhouse:
>> > On Mon, 2007-02-19 at 15:06 +0100, Peter Velan wrote:
>> >> all users which are allowed to send via our MTA must authenticate first.
>> >> 
>> >> Could I block any non-authenticated senders (forging envelope from like
>> >> "[EMAIL PROTECTED]") with the following construction?
>> >> 
>> >> ...
>> >> acl_smtp_rcpt = acl_check_rcpt
>> >> ...
>> >> begin acl
>> >> acl_check_rcpt:
>> >> ...
>> >> accept  authenticated = *
>> >> 
>> >> deny    !authenticated = *
>> >>         senders = [EMAIL PROTECTED]:[EMAIL PROTECTED]
>> >> ...
>> >> 
>> >> Should I be aware of any side effects?
>> > 
>> > You'll be rejecting any mail which is forwarded to one of your users,
>> > but which also originated from one of your users.
>> 
>> How that? If one of my users is forwarding with his mailclient than he
>> must authenticate before.
> 
> If the forwarding server is not your server, the sender will receive a
> bounce mail.
> 
> In more detail:
> 
> - your user sends a mail using SMTP AUTH via your mail server to an
>   external address
> - the mail server responsible for this domain forwards the mail to
>   some recipients including the original sender

Ok, you are right: I have to accept messages from localhost and from my
other servers (all with fix IP, all specified in relay_from_hosts)!

A more complete ACL:

acl_check_rcpt:
  accept hosts = :
  accept local_parts = abuse:postmaster
  accept hosts = +relay_from_hosts
  accept authenticated = *
  deny   !authenticated = *
         senders = [EMAIL PROTECTED]:[EMAIL PROTECTED]

(please bear with me if I'm too shortsighted)

I don't see a situation where a foreign server sends me a legit email
with envelope-from = "[EMAIL PROTECTED]"?

> - your mail server in turn rejects the forwarded mail because it was
>   not sent via SMTP AUTH
> - your user will receive an error mail from the forwarding mail server
> 
> I would stongly recommend not to implement this kind of blocking.

If the scenario you described above is real, then for sure, it would be
a stupid thing to implement this!

Peter

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Reply via email to