Re: [exim] exim cant handle 521 response from remote MX
Maybe Exim should get a feature where you can define "protocol overrides" for domains, like so it ignore specific protocol violations and such. So if you have problem with a slightly misbehaving remote mail server, you can in a acl define how exim should treat its responses (for example, treat it as temporary rejection, permanent rejection, or just ignore it) - at different stages in the connection. -Ursprungligt meddelande- Från: Jeremy Harris via Exim-users Skickat: den 3 september 2021 00:46 Till: exim-users@exim.org Ämne: Re: [exim] exim cant handle 521 response from remote MX On 02/09/2021 20:25, krzf83--- via Exim-users wrote: >>> Large email provider in my country uses 521 response at their MX for >>> some kind of delaying. They don't care that its against rfc1846 >>> >>> rfc1846 says:" A host which sends a 521 greeting message MUST NOT be >>> listed as an MX record for any domain" >>> >>> # nc mx.poczta.onet.pl 25 >>> 220-mx.poczta.onet.pl ESMTP >>> 521 5.7.1 Service unavailable; client [144.76.50.172] blocked using >>> postscreenbl.opbl.onet.pl.local That is not a consistent response. The first line is a 220 (with a flag saying it will be a multi-line response). The second is a 521 (without the flag, hence the last line). All the lines of the response should have the same code (RFC 5321 section 4.2.1 last para: "In a multiline reply, the reply code on each of the lines MUST be the same." ) For what it's worth, testing from here gets a two-line response but with 220 for both. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Subject rewriting
I would personally use the "Keywords:" header instead: warn condition = ${if forany{${listnamed_d:trusted_domains}}{match{$sender_address_domain}{\\.$item\$}}{yes}{${if forany{${listnamed_d:trusted_domains}}{eq{$sender_address_domain}{$item}}{yes}{no set acl_m3 = =E2=9C=94=EF=B8=8F Betrodd dom=C3=A4n set acl_m4 = dnswl_whitelisted set acl_m5 = pass set acl_m6 = 1 warn condition = ${if forany{${listnamed_d:trusted_domains}}{match{$sender_address_domain}{\\.$item\$}}{no}{${if forany{${listnamed_d:trusted_domains}}{eq{$sender_address_domain}{$item}}{no}{yes set acl_m3 = =E2=9E=96 Ok=C3=A4nd dom=C3=A4n set acl_m5 = fail warn condition = ${if forany{${listnamed_d:suspicious_domains}}{match{$sender_address_domain}{\\.$item\$}}{yes}{${if forany{${listnamed_d:suspicious_domains}}{eq{$sender_address_domain}{$item}}{yes}{no condition = ${if eq{$acl_m5}{fail}{yes}{no}} set acl_m3 = =E2=9D=8C Misst=C3=A4nkt skadlig dom=C3=A4n set acl_m5 = suspicious deny message = 5.7.23 SPF fail (phishing) - (${sg{${sg{$spf_smtp_comment}{http\:\/\/www\.open-spf\.org\/Why}{https:\/\/www.sebbe.eu\/spf.cgi}}} {=sebbe\.eu}{}}) log_message = SPF check failed: ($spf_header_comment) spf = fail : softfail warn set acl_m1 = 4 warn spf = pass add_header = X-SPF-Signature: $spf_result ($spf_header_comment) set acl_m1 = 3 set acl_m2 = =E2=9C=94=EF=B8=8F SPF-signaturen =C3=A4r giltig warn spf = none : neutral add_header = X-SPF-Signature: $spf_result ($spf_header_comment) set acl_m1 = 2 set acl_m2 = =E2=9E=96 SPF-signatur saknas warn spf = permerror : temperror log_message = SPF failure: $spf_header_comment add_header = X-SPF-Signature: $spf_result ($spf_header_comment) set acl_m1 = 1 set acl_m2 = =E2=9A=A0=EF=B8=8F Trasig SPF-signatur warn condition = ${if eq{$acl_m1}{4}{yes}{no}} add_header = X-SPF-Signature: permerror (No SPF lookup was made due to technical error) set acl_m1 = 1 set acl_m2 = =E2=9A=A0=EF=B8=8F Trasig SPF-signatur accept acl_check_dkim: accept dkim_status = fail add_header = X-DKIM-Signature: fail (address=$sender_address domain=$dkim_cur_signer - signature is bad) add_header = Keywords: =?UTF-8?Q?$acl_m2,=E2=9D=8C F=C3=B6rfalskad DKIM-signatur,$acl_m3?= add_header = X-Priority: ${if eq {$acl_m1}{3}{3}{1}} add_header = X-Status: ${if eq {$acl_m6}{1}{${if eq {$acl_m1}{3}{F}{}}}{}} accept dkim_status = invalid add_header = X-DKIM-Signature: invalid ($dkim_verify_status - $dkim_verify_reason) add_header = Keywords: =?UTF-8?Q?$acl_m2,=E2=9A=A0=EF=B8=8F Trasig DKIM-signatur,$acl_m3?= add_header = X-Priority: ${if eq {$acl_m1}{3}{3}{5}} add_header = X-Status: ${if eq {$acl_m6}{1}{${if eq {$acl_m1}{3}{F}{}}}{}} accept dkim_status = pass add_header = X-DKIM-Signature: pass (address=$sender_address domain=$dkim_cur_signer - signature is good) add_header = Keywords: =?UTF-8?Q?$acl_m2,=E2=9C=94=EF=B8=8F DKIM-signaturen =C3=A4r giltig,$acl_m3?= add_header = X-Priority: 3 add_header = X-Status: ${if eq {$acl_m6}{1}{F}{}} accept dkim_status = none add_header = X-DKIM-Signature: none (address=$sender_address domain=$dkim_cur_signer - no signature found) add_header = Keywords: =?UTF-8?Q?$acl_m2,=E2=9E=96 DKIM-signatur saknas,$acl_m3?= add_header = X-Priority: ${if eq {$acl_m1}{3}{3}{${if eq {$acl_m1}{2}{1}{5 add_header = X-Status: ${if eq {$acl_m6}{1}{${if eq {$acl_m1}{3}{F}{}}}{}} Gives a nice status indicator in Microsoft Outlook (you have to assign the colors manually, tough), while the X-Priority header will add a (!) for fraudulent email, and a (DOWNARROW) for when there is some technical problem, for email clients not supporting the Keywords: header. And also automatically star's the email with a star when all validations succeed, for the same reason - email clients with no support for Keywords: header. -Ursprungligt meddelande- Från: Jasen Betts via Exim-users Skickat: den 1 september 2021 04:09 Till: exim-users@exim.org Ämne: Re: [exim] Subject rewriting On 2021-08-26, nb via Exim-users wrote: > Hi, > > I need to change the subject when the message is considered as spam, > *and* when there is an SPF problem. > > I use the following method: > > 1 - for SPF: > # remove old subject > remove_header=Subject > # create a new subject > add_header = Subject: *** SPF Error *** $rh_Subject: > > 2 - for SPAM: > # remove old subject > remove_header=Subject > # create a new subject > add_header = Subject: ***SPAM (score: $spam_score)*** $rh_Subject: > > It works fine when either of these two cases occur. > But when both occur at the same time, I don't get the expected
Re: [exim] Better way to deal with phished users?
The problem is that passwords are insecure. Its much better to lock accounts to countries or even individual ISPs, offices or IPs. SMTP and IMAP doesn't have good support for OTP and other secure authentication methods, so a good idea is to "enhance" the security by locking accounts to countries. If users travel, they have to contact customer support. If you COULD force the end users to always use webmail, you can add TOTP to that and make things like 100x more secure. Another way to increase security is to add the latest IP of the latest webmail login (with TOTP) to database, and if users want to use imap/smtp, everytime they change country or ISP or ASN or similar, they have to login to webmail once to "reenable access". Try to come up with something like that, because passwords are horribly insecure, and its not many clients that support for example client certificates. -Ursprungligt meddelande- Från: Niels Dettenbach via Exim-users Skickat: den 5 juli 2021 13:17 Till: Niels Kobschätzki Kopia: exim-users@exim.org Ämne: Re: [exim] Better way to deal with phished users? Am Montag, 5. Juli 2021, 09:04:16 CEST schrieb Niels Kobschätzki: > On 5 Jul 2021, at 7:54, Niels Dettenbach via Exim-users wrote: > Phished users are users from my mail system which are proven regular users > who have their accounts for years and whose credentials got compromised > and are now suddenly used for sending spam- or phishing mails from my mail > system to other systems (and in that special case they are using the > Webmail-interface to send out mails and thus they really look like normal > users from the point of view of the mailing system). > > Thus I want to prevent sending out spam/scam mails from my system to others > (yes I already have diverse counter-measures in place but for the kind > mentioned above they all Gail and I have to intervene manually) ouch, ok. >From my view, the primary way is to force the users to set new credentials (if you really mean access credentials - like passwords). As a network / email operator on the internet, by "netiquette" it is your responsibility to minimize / block abusive traffic from your systems. At least some countries have regulations by law forcing you to do this (at least if you "get aware of"). Until that you may strongly ratelimit or block such users (if you could identify them and if it is possible with your contracts / policies) to avoid harm to others and (not at least) your own email system (reputation etc.). best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Should the taint checks apply to arguments?
Yes, because you could escape out of the argument, think if local part contains like "something && echo /etc/passwd". Then whats executed is: |/home/exim/scripts/my_script something && echo /etc/password Fetching in the argument via environment variable is safe (as long as you in the script doesn't use it for something dangerous, but thats not exim's fault), since then you cannot use the variable to escape out of the shell. -Ursprungligt meddelande- Från: Richard Gilbert via Exim-users Skickat: den 1 juni 2021 12:53 Till: Exim users list Ämne: [exim] Should the taint checks apply to arguments? I understand why it is dangerous to use tainted data in constructing filenames so I can no longer run a command containing the local_part, e.g. data = |/home/exim/scripts/$local_part I see that it is also an error to use, e.g. data = |/home/exim/scripts/my_script $local_part In this case the script is fixed and the tainted data is being used as an argument. Is that still dangerous? The script can pick up the local_part from the LOCAL_PART environment variable. Richard -- Richard Gilbert IT Services University of Sheffield, Sheffield, S10 2FN, UK Phone: +44 114 222 3028 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] RELAY NOT PERMITED exim4
I would say it’s a benefit. Even if you restrict IPs to a bigger area like a country (geoIP restriction) or a whole ISP, you still reduce the attack surface with MANY times. I before had problems with bots hacking my passwords. They guessed them all the time. After I added IP restrictions covering all the locations im at, the bot hacking problem have disappeared completely. And with the username/password restriction, I can add IPs belonging to public locations or are shared with many users (for example, mobile ISPs) without being afraid of any of these being finding my server AND finding my password. But bots cracking passwords to gain access are a real problem today, and IP whitelisting are a good solution to that. IF you run for example a webhosting company, and all your customers are located in a specific country (just because the payment method only exist in that country for example) you can geoIP restrict it to your country only. To avoid a large auth_advertise_hosts list, you can join CIDR ranges that are close to each other, even if a few out-of-country IPs are added. The important is to have a "rough" filtering to avoid all bots from all over the world. -Ursprungligt meddelande- Från: Odhiambo Washington via Exim-users Skickat: den 21 april 2021 15:25 Till: Sebastian Kopia: Mailing List ; Douba Samuel DIARRA Ämne: Re: [exim] RELAY NOT PERMITED exim4 @Sebastian, If you live in a world where IPs are dynamic, then you will understand my point. There is no real benefit of restricting auth to particular IPs, IMHO. If you must restrict AUTH to just a few IPs, then you actually don't need that overhead. Just put them in relay_from_hosts and you are good. On Wed, Apr 21, 2021 at 1:55 PM Sebastian via Exim-users < exim-users@exim.org> wrote: > But its still good to use "auth_advertise_hosts" to restrict which > hosts that are permitted to authenticate in addition to this. > Else you will get bots that hack the password and then spam with your > server. > > In auth_advertise_hosts, you can use CIDR notation (like > 123.123.123.0/24) to allow large amounts of hosts in case of dynamic IP or > mobile terminals. > > So authenticated SMTP should still be IP restricted since there is > bots out there guessing passwords (and hitting the right passwords > sometimes and gaining access) > > -Ursprungligt meddelande- > Från: Odhiambo Washington via Exim-users > Skickat: den 21 april 2021 12:36 > Till: Douba Samuel DIARRA > Kopia: exim-users@exim.org > Ämne: Re: [exim] RELAY NOT PERMITED exim4 > > On Wed, Apr 21, 2021 at 1:24 PM Douba Samuel DIARRA via Exim-users < > exim-users@exim.org> wrote: > > > Hello > > I was using Exim 4, in office (differents sites) but I was using > > vsat system for interconnecting sites. I put private adresses to > > configure exim in differents sites. > > Since I published my servers on internet, I have this kind of error > > message and i cannot send mails. the message is : RELAY NOT PERMITED > > > > Need some advices please > > > > Instead of relying on IP addresses for relaying (as should be listed > in > relay_from_hosts) it is better to use ASMTP ad the condition for relaying. > So just set up authenticated SMTP and let users enable the same on > their MuA and you are good to go. > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254 7 3200 0004/+254 7 2274 3223 > "Oh, the cruft.", grep ^[^#] :-) > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ ## Please use the Wiki with > this list - http://wiki.exim.org/ > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ ## Please use the Wiki with > this list - http://wiki.exim.org/ > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] RELAY NOT PERMITED exim4
But its still good to use "auth_advertise_hosts" to restrict which hosts that are permitted to authenticate in addition to this. Else you will get bots that hack the password and then spam with your server. In auth_advertise_hosts, you can use CIDR notation (like 123.123.123.0/24) to allow large amounts of hosts in case of dynamic IP or mobile terminals. So authenticated SMTP should still be IP restricted since there is bots out there guessing passwords (and hitting the right passwords sometimes and gaining access) -Ursprungligt meddelande- Från: Odhiambo Washington via Exim-users Skickat: den 21 april 2021 12:36 Till: Douba Samuel DIARRA Kopia: exim-users@exim.org Ämne: Re: [exim] RELAY NOT PERMITED exim4 On Wed, Apr 21, 2021 at 1:24 PM Douba Samuel DIARRA via Exim-users < exim-users@exim.org> wrote: > Hello > I was using Exim 4, in office (differents sites) but I was using vsat > system for interconnecting sites. I put private adresses to configure > exim in differents sites. > Since I published my servers on internet, I have this kind of error > message and i cannot send mails. the message is : RELAY NOT PERMITED > > Need some advices please Instead of relying on IP addresses for relaying (as should be listed in relay_from_hosts) it is better to use ASMTP ad the condition for relaying. So just set up authenticated SMTP and let users enable the same on their MuA and you are good to go. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/