Re: [exim] greylisting and spf
Am Freitag, 11. März 2022, 13:31:22 CET schrieb Zakaria via Exim-users: > Yet, this is my experience so far with spam. I started my mail server setup > in mind to configure Greylisting, and once I came to it, I decided to drop > it down. I just found it unnecessary with SpamAssassin and Pyzor scanning > along with EXIM DNS black lists test, DANE, DKIM, SPF, DMARC and ARC > validation. Whenever any of these validation measures fails, I add unique > relevant “ could be spam " header, and use pigeonhole to rewrite subject > and forward it to spam folder. I get very rarely spam emails, and if I do, > I know what kind of failure it ended up with in spam, mostly marked spam > content from SA or DKIM, SPF and recently ARC verifying fails. ...for us, greylisting (with SA at SMTP time) - beside all of this mechanisms incl. further weighted DNSBL results - still is a important part of the chain, even if mainly higher volume and/or more widely known / "older" mail- addresses / mailboxes profit from (which get a high amount of spam). Most of these mechs only validate the "technical source", but not if it's spam. There is atill lot of spam (at least spam for our users) outgpoing from mass hosters like hotmail, gmail and Co. which provide "valid" email senders / connections. As typical, we lead "grey" stuff only to greylisting - with "self learning" to avoid further greylist delays for known white "connections" (sender/ recipient). This typicall lead to a few more delayed emails at the beginning for new email users - but after time only a very small percentage of emails are delayed to the user thorugh the greylisting mech. just my .02$, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 13:19:45 CEST schrieb Niels Kobschätzki: > The moment I identify them I lock them out of the system, remove all their > mails in the queues and they have to reset their password before they can > do anything again. The problem is the identification because you usually > get to know it only, when the accounts are actively misused. If I get to > know that users where specifically targeted I inform them. And at 2am in > the night it might already be too late (you landed yourself on blacklists) > - even though you still kick them from the system. ...beside exims "ratelimiting" (which is just lowering the impact at the cost of all users) - is there any way to monitor the webmail webserver or application logs from your webmail system (most known webmail solutions do/ allow some way to log with "username")? If someone sends out hundreds of mails per hour per webmail, this is probably bot behaviour (fail2ban or similiat tools may help then reacting with "some command")... just as an idea... niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: > On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Phished users are users from my mail system which are proven regular users > who have their accounts for years and whose credentials got compromised > and are now suddenly used for sending spam- or phishing mails from my mail > system to other systems (and in that special case they are using the > Webmail-interface to send out mails and thus they really look like normal > users from the point of view of the mailing system). > > Thus I want to prevent sending out spam/scam mails from my system to others > (yes I already have diverse counter-measures in place but for the kind > mentioned above they all Gail and I have to intervene manually) ouch, ok. >From my view, the primary way is to force the users to set new credentials (if you really mean access credentials - like passwords). As a network / email operator on the internet, by "netiquette" it is your responsibility to minimize / block abusive traffic from your systems. At least some countries have regulations by law forcing you to do this (at least if you "get aware of"). Until that you may strongly ratelimit or block such users (if you could identify them and if it is possible with your contracts / policies) to avoid harm to others and (not at least) your own email system (reputation etc.). best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Am Montag, 5. Juli 2021, 05:40:04 CEST schrieb Niels Kobschätzki via Exim- users: > I have again and again problems with phished users. just my view to this: what are "phished users"? email addresses are (by idea) no "secrets". "Secreting" mail addresses as a " anti spam measure" is just weird and - as the current "hotmail" spam shows it - widely useless. Minimize spam could and should be the issue of the regarding email isp / admin / hostmasters, independend from how "old" and widely used a email adress is and how open it is shown in the web etc.. These "current" hotmail CC spam in most cases is coming from outlook.com servers (Microsoft) and it is their thing to solve that - if not, their senders get a problem because of a horrible reputation of their email provider. For us, we solved it by giving hotmail.com senders a significant "lower reputation" until Microsoft solves this. just my .02$ niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Change PAM service name
Am 16.09.2020 um 23:48 schrieb Yves Goergen via Exim-users : > > > The PAM module is initialized with the service name “exim” > > Can I change this? Is there a config option or something or should I give up > my search and change my PAM configuration? I'd like to share the service with > Dovecot (IMAP, POP3) to simplify the backend and prefer not to use the name > "exim" for Dovecot as it could be confusing, but rather a generic name like > "email". Just a potential alternative: just use symbolic links in /etc/pam.d for different service names who should use the same pam service config. but without checking byself, i would expect you‘ll find some regarding variables in src/globals.c or src/globals.h if not in the Makefile template. have fun, niels. — Niels Dettenbach https://www.syndicat.com https://www.syndicat.com/pub_key.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] mysql config
Am Mittwoch, 12. August 2020, 18:33:52 CEST schrieb Dan Egli via Exim-users:
> I'm trying to setup exim to read a mysql database to identify users and
> their maildirs. I used an example from the internet but apparently it's for
> too old a version of exim or something because it says the router should
> use the aliasfile driver,but exim says it can't find an aliasfile driver.
I use such routers (with redirect - just a simple example):
mysql_aliases:
driver = redirect
allow_fail
allow_defer
data= ${lookup mysql {MYSQL_LOCAL_DEST}{$value}}
user= mail
file_transport = address_file
pipe_transport = address_pipe
somewhere top in global config:
# MySQL connection
## MySQL defines
MYSQL_SERVER=localhost
MYSQL_USER=maildb
MYSQL_PASSWORD=**
MYSQL_DB=maildb
hide mysql_servers = "MYSQL_SERVER/MYSQL_DB/MYSQL_USER/MYSQL_PASSWORD"
MYSQL_DOMAIN=SELECT DISTINCT domain_name FROM domaindb WHERE
domain_name='$domain'
MYSQL_LOCAL_DEST=SELECT dest FROM aliasesdb WHERE alias='$local_part@$domain'
OR alias='$local_part'
# you should adapt the SQL to your database structure / layout.
You may use
exim -bt -d t...@domain.tld
to debug the address resolution / routing etc. from console.
Not sure if this is conform to the new de-taint mech in exim 9.94, but it still
seems to work.
hth,
niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] av_scanner and Sophos 9
> Am 26.06.2020 um 23:19 schrieb Heiko Schlittermann via Exim-users > : > > Hi, > > does anybody use Sophos 9 > > SAV: 9.16.0, Engine: 3.77.1, Data: 5.76 > > as av_scanner with Exim? If yes, how? The sophie type of av_scanner > seems to work half-a-way, Sophos detects the malware, but doesn't report > it back to exim. Hi Heiko, i still use amavis-ng for av integration (only - no sa) in exim, because it offers more decicated functionality and runs on external host with many standard av scanners (without own email integration). reporting is done by amavis - so the report does not provide any details about the av products used.. greetz, niels. — Niels Dettenbach https://www.syndicat.com https://www.syndicat.com/pub_key.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Mail Content-Scanner
Am 16.04.2020 um 16:38 schrieb basti via Exim-users : > > Any suggestions? Expand clamav with commercial subscriptions from third parties. niels. — Niels Dettenbach https://www.syndicat.com https://www.syndicat.com/pub_key.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Are there any good tutorials on setting up Exim MTA/SMTP Server?
Am Montag, 30. März 2020, 15:01:00 CEST schrieb Turritopsis Dohrnii Teo En Ming via Exim-users: > I have deployed cPanel web hosting control panel before and Exim was > installed and configured automatically by cPanel. > > If I want to install Exim as a standalone MTA/SMTP server, are there any > good tutorials which I can follow? There are many ones - for many application scenarios - with more or less focus on security / anti spam and such, but even more important for different combinations with third party software to "form" "typical" "mailservers" (i.e. with cyrus, dovecot, xSQL, user management, anti spam / anti virus solutions etc. - and this is still except higher scale setups...). So it really depends from what your "target application" is and in which "environment" you want to place it. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] html vacation message
Am Dienstag, 17. Dezember 2019, 13:12:31 CET schrieb Andrew McGlashan via Exim-users: > I've had vacation messages set up for years, but they have always been > plain text content. > > How can I provide html content for the vacation message? hmm, at leats rfc 5230 has something like this --- snip --- require "vacation"; vacation :mime text: Content-Type: multipart/alternative; boundary=foo --foo I'm at the beach relaxing. Mmmm, surf... --foo Content-Type: text/html; charset=us-ascii http://www.w3.org/TR/REC-html40/strict.dtd;> How to relax http://home.example.com/pictures/;> I'm at the beach relaxing. Mmmm, surf... --foo-- . --- snap --- but not tested that on EXIMs SIEVE stack. But if remember correctly, this is not a good idea nor "recommended" to do that for some compatibility reasons - but i'm not remembering why (DSN stuff or disabled mime extension on most platforms for sec reasons?). has someone a clearification on hand? niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Major confusing with manual compile of Exim
Am Montag, 4. November 2019, 11:43:51 CET schrieb Odhiambo Washington via Exim-users: > root@gw:/usr/local/SRC/Exim/exim-4.93-RC1 # make > /bin/sh scripts/source_checks > `Makefile' is up to date. > > gcc buildconfig.c > make[1]: exec(gcc) failed (No such file or directory) > *** Error code 1 ...just a shot in the dark: Did you created the Makefile in "Local" (Local/Makefile) as described in the original exim install docs? The Makefile in the project root references it - see i.e. section "all:" in the top Makefile. good luck, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] data timeout on connection
Am Dienstag, 22. Oktober 2019, 13:19:28 CET schrieb Hardy via Exim-users: > I didn't change effectively anything, neither to cause nor to resolve > the problems, and the sender sides were too many different ones as I > would think it plausible they had a problem. > > Some of you in this list suggested mis-aligned network. I suspect this > happened on my hoster's part. They did not communicate any problem, > though. I suspect they misconfigured and corrected silently, whatever it > was. According to my logs this situation lasted for about 12+ hours. I would add a +1 here for this because i did not found any further prob yet since weeks now, but we are "hosting" byself anything - except the BGP gates - with "plain internet access". i've contacted our NOC / upstream partner for this while he had no clue at all about this effect - so i putted this beside... Possibly any proprietary) routing / network firmware of a (Tier 1?) IP "network device" got updated in the last? bit crazy... thanks to you guys for sharing your details and the logging hints. niels -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SMTP error from remote mail server after pipelined MAIL
Am Samstag, 28. September 2019, 03:26:27 EDT schrieb Graeme Fowler via Exim- users: > On 28 Sep 2019, at 07:48, necktwi via Exim-users wrote: > > you made me to compramise my identity? does strace.log and exim.log even > > contain my private key? > No, he’s not “made” you do anything, he suggested some diagnostics be > provided for the issue you’ve reported. Afair it is "common practice" that the Sender of Logs or Traces is responsible for what he sends (and what parts to "anonymize" how far) to Third Parties - because he knows what data he want not published to any thirds - and take over the work for it byself. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] for europeans only: EU GDPR and mitigation of CVE-2019-15846
Am Freitag, 6. September 2019, 14:37:23 CEST schrieb Cyborg via Exim-users: > Article 32 p 1 EU GDPR states, that the transport of personal data has > to be protected, I know that cr**, but: - just "forcing" TLS is not "securing", because many servers until today use certificates without a certificate signed from the x509 CA "mob" (BA - who financed the "encrypt everything" campaign in EU, W3org and others). - if a user decides to send his emails without encryption (senders as recipients in Email are responsible for their "own side", incl. MX as MTA on their side - if they (whyever) decide not to use encryption (i.e. because they are only allowed to send unencrypted because of their local law), this should be "their thing". This EU law is still producing a huge amount of new law insecurity (because of i.e. contradictory rules as policies with very wide rooms for interpretations) and existencial fines (for companies - not really for public / gov entities for which services you can't decide...) are existencially. by this law, even a post card (service) could be "violating"... The internet is a global network of non geolocatable users and it is ugly how that EU law is still affecting non-EU companies (see i.e. the destroyed WHOIS of many non-EU Registries) and limits our access to non EU news sources and other services, because they block "EU" users 451 to avoid any "trouble". Don't get me wrong here - i'm a huge fan of personal data security in the meaning of informational self determination and encryption is (only) one important tool for - but this law works vice versa / abusive in reality. There are many options for Email users to "secure" their Email against what they want (we know, there is no "100% secure against anything...") - i.e. by deciding for any kind of security-granting provider, (foreign) VPN services or by really end-to-end encrypt their stuff with PGP or S/MIME. > Thats also the reason, why you have > to use https with contact forms in websites since 2016 ) ...so that users "know they are secure without to check byself that the lock is closed" - while that's not true (but the business principle mof the BA CA "mob" until today). Which user is checking only one Certificate Path in reality? just my .02$, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] While expecting fix for CVE-2019-15846
Am Donnerstag, 5. September 2019, 11:37:27 CEST schrieb Konstantin Boyandin via Exim-users: > Just curious, whether Exim is regularly tested for vulnerabilities as > it's developed? This is a bit simple view onto software security. There is no internet software without any security issues as it is impossible to "write secure software". At least one of the CVEs was initiated by a exim developer who found problems while working on "his" own (earlier) code - this is not a "standard case" in many OS software projects (even less proprietary). And at least some of the CVE only affected a sub-amount of the users. >From my view it seems that EXIMs code is getting much more auditing attention since 2019 then before (what - for mke - is a good sign). > The critical security updates are being announced way too often last > year. hmm, another option would be to choose software which did not get any security updates, because no one checks / audits them so far or if, publishes it's knowledge to the users regular / fast security updates / patches are necessary on any internet host today (is no "honeypot" or similiar) - independent from exim. best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim and Postfix
Am Mittwoch, 28. August 2019, 10:12:36 CEST schrieb Viktor Dukhovni via Exim- users: > So the key architectural difference is that Postfix is not > a single monolithic program, but a collection of programs > that handle various aspects of message processing. Monolithic > programs are more difficult to secure. No. The "regular" EXIM setup includes the building from sources after Your customized configuration what to build into that monolith. While exim potentially offers a large amount of features and interfaces, in practice only a few of them are required in a typical setup and if you build "your" Exim byself, only these code/functionality is part of the monolith. This allows to minimize the amount and surface of any security related access vectors. But even if you use pre-built binaries with "the most options active" there is no real difference between monolithic or multilithic MTAs regarding security, because most emails are processed by multiple / all "similiar" parts just over multiple binaries/processes (which typically are not really "more secured" against each other). Just parts of "process- communication" is "just" external - i.e. over sockets. And even with exim you get multiple binaries for different administrative tasks. That the most Linux distros today prefer (or based on) binary distribution (and the most (end-)users use that way for installation of their exim) is another topic... just my .02$ niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Extra copies of list mail (was Re: CVE-2019-10149: already vulnerable ?)
Am Dienstag, 25. Juni 2019, 16:08:08 CEST schrieb Russell King via Exim- users: > > I entirely concur, but it is an understandable error given what the > > mailing > > list is now doing to sidestep DMARC risks: > Yes, but there's more points on this subject too... > > Given that different lists have different policies, and that it takes > a mental decision by the replier to choose the correct reply method, > it seems to me that mistakes will happen. I did it conscious as i've found it is "usual" on several to "many" other mailing lists i'm on. But may be this is bad practice by any common or list specific netiquette or rfc i didn't read yet. Most of the lists are not about email expertise... Beside interferences from DMARC and similiar, many (at least large) lists have significant "delays" of up to several hours it takes to at least some recipients got mailed, leading sometimes to "confusions" or "broken" discussions and some list members use filters on list traffic to forward it into some IMAP folder or similiar for a private "list archive" and read that only sporadically. And if i add the senders address, (at least by my intention) "show" him "technically" that i will accept off-list answers from him too if he want to decide for (i.e. if it not fit's the list audience). At least for me it is no "burden" if someone adds me "twice" (on/off-list), but in respect of others here i will not follow this practice further. sorry for the noise. many thanks and best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am Dienstag, 25. Juni 2019, 15:03:02 CEST schrieb Jeremy Harris via Exim- users: > Indeed; but only the banner was being asked about. ok, sorry for the noise. for me, the the Recvd header is a kind of "banner" too. seems a misunderstanding from my side. > You're interested in received_header_text, I suspect. possible too - but easy to "break" any less known rfcs or "expected practices" without a proven "default" and so deeper experience about that - and i was not sure if EXIM does publish that string in any other possible remote "access vector" too. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
Am Dienstag, 25. Juni 2019, 13:53:26 CEST schrieb Jeremy Harris via Exim- users: > No recompile needed. smtp_banner. This only set's the banner, but not the SMTP-Headers " by " which are "public" too and used as a idicator for "security researchers" (by my experience) - i.e. germany BSI. hth, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] The most used Exim version is the vulnerable one
Am Dienstag, 11. Juni 2019, 18:57:41 CEST schrieb Konstantin Boyandin via
Exim-users:
> If I am not mistaken, CentOS 6.10 EPEL didn't apply any patches,
> original Exim 4.91 is still their last version.
The "initial official" date for patch releases was "officially set" by Exim
project / security list onto the 11.06.2019 (today) - so possibly some "less
aware" (LTS) distributors will use that date ("in respect for the project")
for their release...
The distros i.e. i work with mainly (i.e. Gentoo, different BSDs etc.) are
"on" 4.92 "since published". Debian seems announced/released patches too:
https://security-tracker.debian.org/tracker/CVE-2019-10149
RedHat (Enterprise) seems "not affected":
https://access.redhat.com/security/cve/cve-2019-10149
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149
> So either build manually, or switch to another MTA, or hope that
> "allowed chars" trick will be good enough protection.
or switch to a "proper distro"...ß)
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---
signature.asc
Description: This is a digitally signed message part.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Trouble compiling Exim 4.92
Am Donnerstag, 6. Juni 2019, 10:09:20 CEST schrieb Luca Bertoncello via Exim- users: > I have these lines in Local/Makefile: > > SUPPORT_SPF=yes > CFLAGS += -I/usr/include > LDFLAGS += -L/usr/lib -lspf2 > > and of course I have libspf2 (and dev...) installed. > I'm using a Debian Jessie. Do you have -lspf2 in LOOKUP_LIBS too? It seems, i need this. You may even try to enable. EXPERIMENTAL_SPF=yes SUPPORT_SPF=yes and (just for sure) dont forget to do a make clean before try another build with this. hth best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] anti-spam pointers please
Am Dienstag, 2. April 2019, 09:20:26 CEST schrieb Rory Campbell-Lange via Exim-users: > required_score 3.0 this is very low from my experience (if you work with "default" SA setup - especially if you enabled most of the available extensions). This typoically leads to a lot of false positives if you have a typical SA setup. If you have most extensions disabled, then 3.0 may be "fitting", but then SA could not recognize spam well, because it has not much facts to decide / value a email. SA default is 5.0 which is a good value for "typical" personal usage. 2.5-3.0 is more typical for greylisting or similiar more "soft" limits. Typcial values in multi-user environments are around 5.0-7.0, while every 0.1 is important. If you go under 5.0 you (very) propably will loose some ham. On a machine with around 200.000 SMTP sessions per day i tweaked the score over monthes in a range of 0.4 to find working results. With further own extensions (or score "additions" in EXIM) the score could rise further - so even a bit higher values may required. hth a bit, best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] local_scan_path change ?
Am Freitag, 29. März 2019, 11:08:04 CET schrieben Sie: > Right at the top of the Changelog: many thanks, rtfm seems still a good advise sometimes...ß) so i try to solve or "backport" it for the regarding setup here by diggin sources or find a "alternative" to fully substitute sa-exim with the new spamc/d interface or so. many thanks for help pointin me. best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] local_scan_path change ?
Am Freitag, 29. März 2019, 07:08:08 CET schrieb Thomas Krichel via Exim- users: > Something seems very wrong here. I'm afraid it could be me. I'm in similiar situation btw...ß) It seems local_scan.c ist not longer called / used in sa-exim setups since >=exim 4.92 builds - tried that yesterday (own EXIM build on NetBSD). Until now i didn't find any time to investigate the changes in exim sources yet - so any tip / hint is welcome here too...ß) many thanks for any hints. best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Spam though my server
Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via Exim-users: > Most better firewalls do have an built-in country/GeoIP database, if not, > you can easily add one. GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of a IP address. It offers only a "probably in this country" info in context of a IP address (user). This means the amount of false positives in practice is significant, except if users came from "known" AS networks or RIR assignmenets / route info. So this may (!) help/work in small and/or very defined network topologies. I know the situation in germany is a bit different, as the internet topology / "market" is very "centralized" here, but even in germany many less kown IP access products / services available get "geo-resolved" over other (usually western) countries / regions by GeoIP (even the commercial version). I know from many african and asian Mail Providers who use "US", "european" or "canadian" IPs for their service to get around "problems" with such Geo- blocking solutions. Proper geolocation of IPs is a "science by itself", but still far from reliable. Many brute force attack attempts against our exim systems (germany+luxembourg) are currently coming from france and germany today. For smaller systems, solutions like fail2ban could help "far": https://www.fail2ban.org/wiki/index.php/Exim But even here: Be aware of possible "bad cases" where i.e. larger NAT networks "use" the service and "sloppy" user clients generate false positives. Beside Exim functionality (see Exim DOS prevention - incl. resource "reserve" subsystem) firewall rules to slow out "to much" of new initiated sessions within a time window could help. But brute force attackes are normal / usual on larger SMTP services today - important is to make it difficult to prevent any success of such attackes (even distributed ones) and "DOS effects" of them and similiar attackes. good luck, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Spam though my server
Am Dienstag, 19. Februar 2019, 11:38:22 CET schrieb Odhiambo Washington via Exim-users: > How they end up hacking this account is something of a mystery now. This is > the second time in as many months. ..."usually" they got user login credentials in any way. from my experience, most typical is: - the user uses a easy to brute force PW (exim provides different limits to make this more difficult - if configured/set in the config, but additional firewall rules or IPS may required too to block massive brute forcing on EXIM by SMTP) - the users PW got hacked on a client in any way or - the same users PW got discovered/"hacked" on a foreign website or internet service - the (usually encrypted) "password storage" (i.e. a SQL database, LDAP, shadow or whatever got "hacked" / copied and this PW was cracked). very typical seems attacks on SQL databases behind any LAMP or similiar web management tool or by other web applications which use the same database installation - using insecure grants or security holes in the database or a LAMP stack. - PW sniffed from a non encrypted SMTP session with exim (if allowed in exim and on client) this just to point you into a few typical directions. good luck, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] The Google Lie
Am Mittwoch, 13. Februar 2019, 01:46:21 CET schrieb Christian Balzer via Exim-users: > And come to name it here as "The Google Lie". > > On the face of it this looks like another attempt to ram the > unpalatable SPF/DKIM/DMARC cocktail down everybody's throat because of > course Google knows best and is also a cute 800kg gorilla that won't do > evil (honest guv!). hmm, i'm personally not a fan of Googles Email services, but this conclusion sound's a bit strong to me. As the linked page states, there are "basic" things like reverse DNS and similiar which gmail expects from "non authenticated" users - things which are typical for many other mail services too and even recommend by major rfcs. Without DKIM i'm not sure as i did not tested that yet - but without DKIM it seems difficult to get a "reliable" email service up today. >From my experience, GMail doesn't require DMARC or SPF from senders, but it could help shifting reputation for mail services where it may makes sense.. For higher volumes GMail offers a "GMail Postmaster Account" where Postmasters can "list" their mailservers which send to GMail - Google seems to use this as a "abuse contact" too (which many mailservers did not really have yet but "should" by rfc). DMARC is not a general solution for everyone, but could help some email entities with special applications (i.e. financial services). > Received-SPF: pass (google.com: best guess record for domain of > ch...@gol.com designates 203.216.5.73 as permitted sender) > client-ip=203.216.5.73; --- > > So why do we see those failures then? Checking the DNSBLs could makes sense, as these DNSBLs are used in many email services and anti-spam "solutions". Currently i see i.e. a listing in: https://www.anticaptcha.net/check/?ip=203.216.5.73 > As it turns out, Google uses Spamhaus (they're a customer, but won't admit > to using their RBLs in public) and in particular checks mails for their > origin IP against XBL (CBL). There are many others who does that too - at least by any weightings. > So Google: > a) lies, the error is based on the origin-IP. I did not see this as a "ly" - each Mail ISP is able to define his own "authentication" policies to prevent spam. And as i can see your email session was not a "authenticated one" - which leads GMail (as many others) to much stricter validity / "authentity" checks then for authenticated one. There is no absolute Email Service, as users have very different expectations onto i.e. "spam" filtering / anti-abuse actions - including a different view onto the definition of "spam". GMail is very restrictive in this - this means GMail users have to accept that they did not get any email they might want to - as a cost of a highly spam reduced inbox traffic. This is a contract/decision between GMail and GMail customers/users and not the senders to GMail. DKIM/SPF/DMARC are not any killer solutions - they only "makes sense" in (different) special scenarios which do not fit all email users. Mail Providers could do their best to get around "any" anti-spam ratings of whatever target systems in many different ways of shifting their reputations. Even the definition of "reputation" is very diverse in the net. I.e. there are many who did not accept non-auth emails from known dynamic. The diversity is as large as the customer profiles and expectations in the world. This is why i pertsonally don't like GMail - their "usage rules" (filter rules) would not fit my personal expectations. There is no "perfect" email service. i know the good old story of customers complaining "they did not got my email" - but this is a issue / resposibility of the reciever (and his decision for a emails ervice provider) as long as the sender fulfills official specs. If this comes transparent, the stories of the "bad monopolies" who "dictate the internet" are over. I do not know any professional operating company relying onto highly diverse Email traffic using standard GMail for their Email stuff. hth, best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to block using exim re:[doc...@nk.ca: Your account has been hacked! You need to unlock.]
Am Sonntag, 27. Januar 2019, 20:56:03 CET schrieb Ellen Van Landingham via Exim-users: > Personally, I have an Exim filter that rejects any message > containing the word "bitcoin" in $message_body. This won't be > useful for you if you actually use bitcoins for anything, but it > works for me. This is usually a very bad idea - even for pure personal usage, as there are many ham mails around where these word could be found in their content (i.e. incl. well known newspapers, financial infos and online shopping e-commerce who offer payment by bitcoin (or describe why not in their notification mails) etc. - or your own list mail here f.i). On the other hand, i've seen a lot of spam which contains "hot" terms/words in a mutated / non-official way - i.e. "bitc0in" or "bitco1n"... fighting spam in a reliable way is a "science by itself" (as the spammer business is still huge and clever) - unfortunately simple dictionary filters are not working reliable anymore since decades. we've seen customers who build such simple word filters (by sieve or similiar) byself and complained monthes later about "lost" important mails... hth best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Spam Filtering / dnslists
Am Donnerstag, 8. Februar 2018, 08:16:54 CET schrieb Odhiambo Washington via Exim-users: > So, I have to ask what people are using these days when it comes to > dnslists? > And what other tools/tricks are in use that would help fight spam? hmm, in my experience, dnslists are just one step of effective anti spam filtering today. We developed a complex multi-stage anti-spam system for our email services which had to be tuned and managed actively, but with the smallest amount of time/work possible. I think by principle the (by far) most efficient anti-spam fighting still is possible on MXes and not on SMTP/Mail "hops" "behind". A good DNS setup for outgoing email to reduce/avoid bounces from "hijacked" sender addresses is important too. If you look for a in-exim "easy to handle" list, i could recommend (currently): sbl-xbl.spamhaus.org nomail.rhsbl.sorbs.net/$sender_address_domain cbl.abuseat.org web.dnsbl.sorbs.net socks.dnsbl.sorbs.net http.dnsbl.sorbs.net zen.spamhaus.org b.barracudacentral.org psbl.surriel.com but be warned, the most effective lists contain a few (known) "false positives" (i.e. spamhaus) of large email services (i.e. yahoo, local free mail services), because they do not handle their large email traffic within the DNSBLs policies (i.e. contain lot of spam). You have to watch and whitelist them by hand in the beginning. Place i.e. a proper error message with a url pointing to further details and a contact to you / postmaster. But DNSBLs are just one thing - todays spammers try to get access and use proper relays with hijacked sender addresses (to go through DMARC / SPF / DKIM) which is important to reach i.e. gmail recipients. DNSBL will block real email. Our Anti-Spam solution (handling a few hunderthousands of mails by day) has three "main stages": - EXIM SA (with Greylisting) - EXIM ACL and a few DNSBL, DMARC (SPF/DKIM) - Spamassassin (with compiled rluez - DCC, Pyzor2, Razor and Bayesian) - EXIM - AMAVIS Antivirus (with two scanners) We use a long list of DNSBLs with a "spam propability" value on each added (or subtracted) to/from a spam propability counter which goes into Spamassassin. SA internally works similiar and in SA we handle DCC (and razor + pyzor2). You may ask at SA lists / view SA docs for more indepth details as this would be off list here. This means each (new) email sender generates a lot of connections (primarily DNS). It may makes sense to have your own DNS resolvers (against root) and possibly DCC instance. The Bayesian Subsystem of SA as the antivirus subsystem takes significant CPU / system load. Be aware of local laws if you "read" the users emails (our customers allows us to use their email content for spam analysis - check possible local law). Over many years now the solution works very well for our users/customers, which (as business users) have a very low acceptance for false positives as for (real) spam. Depending from time we get around 97%-99.5% of "real" spam out, while the measuring there is not very sharp, because it "hits" against the definition of "spam". If we go higher,, inacceptable false positives will arise. At the beginning we had to fill in a few hard whitelist entries in different subsystems for a few very large (mostly local and freemail) email providers which "go their own way"). If a bounce rises today to a real sender the reason is on his side (defect email or temporary defect on the mail system on senders side). It is important to deliver proper / helpful error messages (without giving to much info to spammers out). We do not have any "Spam folder" in users mailboxes as this doenst saves time for the users. We recommend our users to disable such in email clients as the amount of false positives could be higher then "real" spam landing there. There will be email which is recognized by users as "spam" which is regular list / newsletter email the user has accepted in the past - let users marking them as "spam" this often leads to further problems with false positives later. hth a bit, best regards, Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Start working with exim config files
Hi John, Am Dienstag, 13. Juni 2017, 12:30:52 CEST schrieb John Smith: >I added the "MAIN_TLS_ENABLE = yes" in the >conf.d/main/03_exim4-config_tlsoptions. Here it works after restarting >Exim : I can see STARTTLS after EHLO localhost on telnet. >But after that I wanted to set other options like (for examples) : >tls_certificate = /etc/ssl/certs/file1.crt >tls_privatekey = /etc/ssl/certs/private/file2.key > >(I know that Exim takes by default the exim.key and exim.crt in >/etc/exim4 folder so I can unset the two lines above and use the files >generated by gencert command... Just to clearify a bit: Exim does (nearly) nothing "by default". Anything has to be configured within the config file. Exim has typically one config file, which could include further files if a user want's to use that in any way. "MAIN_TLS_ENABLE" is not a EXIM directive. Debian (as Ubuntu) use their own (splitted) very complex config file with many own directives (mostly upper case names) to "switch on/off" parts of their "configuration snippets". So at the end, it is related to Debian how they handle that - and how you could officially "fiddle in" your own config directives without breaking their setup. If you want to use that, you may ask that within Debian community. If you want (or must) to go a bit deeper into Exim, it may make sense to work out your own config file (i.e. a single one) from one of the many examples in the docs or the net. This is less "ugly" then it may seem to beginners and gives you a much better readable config. Personally i'm not using the Debian config files - so i can't help you with this - had problems with breaks after security updates etc some years ago even on "small systems". hth a bit, good luck, Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DMARC spf_domain= empty
Am Montag, 5. Juni 2017, 11:32:37 CEST schrieb Jeremy Harris: > Aha: > > https://bugs.exim.org/show_bug.cgi?id=1994 ...this could make sense. Did not found that before. I've patched my EXIM 4.89 build (a bit wondering, why it is not in that version / tarball) now and investigate it further. many thanks for your time. Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DMARC spf_domain= empty
Am Mittwoch, 31. Mai 2017, 14:50:16 CEST schrieb Jeremy Harris: > > /* Use the envelope sender domain for this part of DMARC */ > > spf_sender_domain = expand_string(US"$sender_address_domain"); > > It's using $sender_address_domain - so what was that for this mail? should be "googlemail.com" in this case, but is empty, if i let write it into the log_message from a DMARC acl (in acl_check_data). Within other acls it seems properly working. hmm... The same effect on other sender domains. It seems that DKIM uses the correct $sender_address_domain and the (libspf2) Exim SPF seems to work properly too and . many thanks for your time! many greetings, Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] DMARC spf_domain= empty
Hiho Dears,
after investigating my EXIM DMARC (opendmarc EXP) setup and the current docs
about Exim DMARC in more detail i've found that anything seems to work except
that the SPF variable(s) - expescially "spf_domain=" are not filled correctly
within dmarc.c. This leads to bad XML reports too, because of "failed" empty
SPF fields.
Could someone pls explain how the "spf_domain" vs. spf data within DMARC whould
work?
Here is an example of a googlemail.com email going through DMARC here:
--- snip ---
2017-05-31 10:40:11 1dFzAp-0007cW-UY DKIM: d=googlemail.com s=20161025
c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2017-05-31 10:40:11 1dFzAp-0007cW-UY DMARC results: spf_domain=
dmarc_domain=googlemail.com spf_align=no dkim_align=yes enforcement='Accept'
2017-05-31 10:40:11 1dFzAp-0007cW-UY H=mail-wr0-f195.google.com
[209.85.128.195] Warning: [DMARC] ACCEPTED: accept googlemail.com
2017-05-31 10:40:11 1dFzAp-0007cW-UY H=mail-wr0-f195.google.com
[209.85.128.195] Warning: [DMARC] DEBUG: 'accept' for googlemail.com STATUS
Accept USED_DOMAIN googlemail.com DMARC_HEADER Authentication-Results:
mail.syndicat.com; dmarc=pass header.from=googlemail.com
--- snap ---
I use EXIM 4.89nb1 on NetBSD
build against:
- libspf2-1.2.10
- opendmarc 1.3.1
with:
LOOKUP_LIBS=-lmysqlclient -lssl -lcrypto -lopendmarc -Wl,-R/usr/pkg/lib
-L/usr/pkg/lib -lsasl2 -lspf2
EXPERIMENTAL_SPF=yes
EXPERIMENTAL_DMARC=yes
WITH_CONTENT_SCAN=YES
...
OpenDMARC is build with SPF support (tried it without too):
opendmarc: OpenDMARC Filter v1.3.1
SMFI_VERSION 0x101
libmilter version 1.0.1
Active code options:
WITH_SPF
in opendmarc.conf these are commented our / default:
## SPFIgnoreResults { true | false }
## default "false"
#SPFSelfValidate true
## Syslog { true | false }
## default "false"
I'm not sure if Exim DMARC uses this over i.e. libopendmarc or SPF directly
from libspf2.
As described, i do the SPF checks "before" DMARC checks within
acl_check_rcpt:
...
### SPF native
warnset acl_m_spf_record = ${lookup
dnsdb{txt=$sender_address_domain}{$value}}
# No record
warn!condition = ${if def:acl_m_spf_record}
!hosts = +3rdmxes : +relay_from_hosts
log_message = [SPF] no record
# SPF +all is meaningless
warncondition = ${if match {$acl_m_spf_record}{\\+all}}
log_message = [SPF] meaningless +all
!hosts = +3rdmxes : +relay_from_hosts
warnspf = fail
!hosts = +3rdmxes : +relay_from_hosts :
+nosa_from_hosts
log_message = [SPF] $sender_host_address is not allowed to
send mail from $sender_address_domain
# Add a SPF-Received: header to the message
warnmessage = $spf_received
!hosts = +3rdmxes : +relay_from_hosts
accept spf = pass
log_message = [SPF] pass
!hosts = +3rdmxes : +relay_from_hosts
### DMARC niels
# --- check sender's DMARC policy
warndomains= +local_domains
hosts = +3rdmxes : +relay_from_hosts
log_message= [DMARC] no check for OUR hosts
control= dmarc_disable_verify
warn!domains = +screwed_up_dmarc_records
#log_message= [DMARC] check forensics
control= dmarc_enable_forensic
###
and then DMARC (as described) in
acl_check_data:
...
## test
# --- check sender's DMARC policy
warn dmarc_status = *
add_header = $dmarc_ar_header
deny dmarc_status = reject
message= Rejected by sender's DMARC policy
warn dmarc_status = quarantine
set acl_c0 = ${eval:$acl_c0+40}
set acl_c1 = QDMARC(40) suspicious message according DMARC policy;
$acl_c1
## test
For me it seems, in dmarc.c spf_domain is set not correctly (however?)., but
seems relatively "hard wired" there Any idea, what could be wrong here?
https://github.com/Exim/exim/blob/master/src/src/dmarc.c
--- snip ---
/* Use the envelope sender domain for this part of DMARC */
spf_sender_domain = expand_string(US"$sender_address_domain");
if (!spf_response)
{
/* No spf data means null envelope sender so generate a domain name
* from the sender_helo_name */
if (!spf_sender_domain)
{
spf_sender_domain = sender_helo_name;
log_write(0, LOG_MAIN, "DMARC using synthesized SPF sender domain = %s\n",
spf_sender_domain);
DEBUG(D_receive)
debug_printf("DMARC using synthesized SPF sender domain = %s\n",
spf_sender_domain);
}
dmarc_spf_result = DMARC_POLICY_SPF_OUTCOME_NONE;
