RE: [Exim] Exim failing relay test :-(

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phillips, Alan
Date:  
À: 'exim-users@exim.org'
CC: Patterson, Norman
Sujet: RE: [Exim] Exim failing relay test :-(
> > rcpt to: <user%hotmail.com@???>
> >    250 <user%hotmail.com@???> verified

>
> > unix.lancs.ac.uk is a local machine not listed in local_domains
>
> ... so therefore all Exim can check is the domain unix.lancs.ac.uk. If
> it cannot check that "user%hotmail.com" is an invalid local part, what
> else can it do but pass the message on?
>
> This @ and % business is really winding people up unnecessarily. Unless
> you set percent_hack_domains somewhere - which is *not* recommended,
> these characters in local parts are no different to any other characters
> in local parts.
>

Yes for Exim; not necessarily true for downstream machines which we wanted to
protect - sendmail does percent hack routing, I think?

> > So are we wrong in expecting that Exim can/will/should do this protection
> of
> > downstream systems? We're going to hit a lot of political flak if it
> can't....
>
> If you want to check valid local parts of downstream systems, then you
> have to have the list of local parts available so that you can check
> them. I think that is unassailable logic. :-)
>

Yes, you're right in terms of validating explicitly, of course. Prior to moving
to Exim, we had set up a system that parsed any source routed or percent hack
format address, and blocked them if _any_ off site domain appeared in them
anywhere - we assumed that downstream machines _would_ implement relaying with
any form of relay address (we have some that do) and could _not_ be fixed (we
have some that can't). Catching relay attempts centrally in the hubs protected
these machines, and also stopped squillions of NDRs being generated from
sending to downstream machines that _were_ secure.

As you explain, Exim isn't designed to do that with the routing checks, which
is fair enough. We're talking about different concepts and levels of
protection.

> If you simply want to do something crude such as ban all local parts
> containing % and @ you could stuff in a verifying router such as
>
> no_percent_or_at_ever_verifies:
> driver = domainlist
> verify_only
> verify_fail
> domains = *.lancs.ac.uk
> local_parts = ^.*[%@]
> route_list = *
>
> That's off the top of my head. I haven't tested it. However, personally,
> I don't see that it gains you very much except brownie points. It
> doesn't stop mail to unknownuser@??? getting through.
>

Yes, I think that would do us very nicely! We'll try it out and give some
feedback.

Thanks! I guess we are probably (a) paranoid and (b) cursed with a political
and management structure that forces us to service machines downstream without
authority over how they are run. Sigh.

Alan