Hi, I received the following shellshock attempt on exim 4.72 (RedHat 6):
---------- Delivered-To: [email protected] ... Return-Path: <[email protected]> Received: from ourserver.ourdomain.com (ourserver.ourdomain.com. [111.222.333.444]) by mx.google.com with ESMTPS id bn6si5779657wjc.154.2014.10.24.09.36.45 for <[email protected]> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Oct 2014 09:36:46 -0700 (PDT) Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=111.222.333.444; Authentication-Results: mx.google.com; spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected]; dkim=fail [email protected] Message-ID: <[email protected]> X-Google-Original-Message-ID: SHELLSHOCKCOMMANDS DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ourdomain.com; s=default; h=Resent-From:Resent-Date:Message-ID:Date:Subject:From:Cc:References:To; bh=...; b=...; Received: from [74.208.184.251] (helo=USER) by ourserver.ourdomain.com with smtp (Exim 4.72) (envelope-from <[email protected]>) id 1Xhhr3-0002Z3-Fh for root@localhost; Fri, 24 Oct 2014 18:36:45 +0200 To:SHELLSHOCKCOMMANDS References:SHELLSHOCKCOMMANDS Cc:SHELLSHOCKCOMMANDS Bcc:SHELLSHOCKCOMMANDS From:SHELLSHOCKCOMMANDS Subject:SHELLSHOCKCOMMANDS Date:SHELLSHOCKCOMMANDS Comments:SHELLSHOCKCOMMANDS Keywords:SHELLSHOCKCOMMANDS Resent-Date:SHELLSHOCKCOMMANDS Resent-From:SHELLSHOCKCOMMANDS ---------- The recipient was 'roo@localhost', which is aliased to '[email protected]' (gmail), so the mail was "forwarded" as is to gmail, which apparently thought we pretended to be mata.com). Is it because of the envelope-from? What would I need to change/addto/removefrom the following config not to be seen as pretending to be the original sender. While we are at it: 2. prevent a non local/lan IP to post to root@localhost? ---------- domainlist local_domains = @ : localhost : localhost.localdomain : doc.ourdomain.com : blog.ourdomain.com domainlist relay_to_domains = hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16 hide mysql_servers = ... CHECK_ACCESS = ${lookup mysql ...} acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data acl_smtp_mime = acl_check_mime av_scanner = clamd:/var/run/clamd.exim/clamd.sock tls_advertise_hosts = * tls_certificate = /etc/pki/tls/certs/exim.pem tls_privatekey = /etc/pki/tls/private/exim.pem daemon_smtp_ports = 25 : 465 : 587 tls_on_connect_ports = 465 never_users = root trusted_users = bob rfc1413_hosts = * rfc1413_query_timeout = 5s ignore_bounce_errors_after = 2d timeout_frozen_after = 7d auth_advertise_hosts = smtp_accept_max = 40 smtp_accept_reserve = 30 smtp_reserve_hosts = 111.222.333.0/24 begin acl acl_check_rcpt: accept hosts = : deny message = Restricted characters in address domains = +local_domains local_parts = ^[.] : ^.*[@%!/|] deny message = Restricted characters in address domains = !+local_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ accept local_parts = postmaster domains = +local_domains accept hosts = +relay_from_hosts control = submission accept authenticated = * control = submission require message = relay not permitted domains = +local_domains : +relay_to_domains require verify = recipient accept acl_check_data: accept acl_check_mime: deny message = Blacklisted file extension detected condition = ${if match \ {${lc:$mime_filename}} \ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ {1}{0}} accept begin routers dnslookup: driver = dnslookup domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more system_aliases: driver = redirect allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/aliases}} file_transport = address_file pipe_transport = address_pipe localuser_virtual: driver = accept condition = CHECK_ACCESS retry_use_local_part transport = local_delivery_virtual begin transports remote_smtp: driver = smtp dkim_domain = ourdomain.com dkim_selector = default dkim_private_key = /etc/exim/dkim.private.key dkim_canon = relaxed local_delivery_virtual: driver = appendfile maildir_format create_directory directory = /DATA/Maildir delivery_date_add envelope_to_add return_path_add user = 888 group = 888 address_pipe: driver = pipe return_output address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add address_reply: driver = autoreply begin retry * * F,2h,15m; G,16h,1h,1.5; F,4d,6h begin rewrite ^.*\.ourdomain\.com [email protected] Frs ^.*\.ourlocaldomain [email protected] SFfrs begin authenticators ---------- Thx, JD -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
