Re: [Exim] Relaying for a specified user

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Odhiambo Washington
CC: Exim Users
Subject: Re: [Exim] Relaying for a specified user
If you do this, then ANYONE can claim to be that user (or a user in the
domain, and relay mail through your server, forging that persons
identity in the process.

The problem with a setup like this is that there it doesnt verify that
the sender really is the person/company you want to relay for.

Sender relay checks should always be by IP address (which is *very*
difficult to fake), or some sort of ID/password (eg, SMTP auth, or
pop-before-smtp, where the pop session validates the ID/password) For
roaming users, SMTP AUTH really is the best solution.

Sender email address is just too easy to forge. (In fact, its laughably
easy - you use MS Outlook express? Go in your Tools/Accounts/Properties,
and enter 'president@???' in the 'email address' field, and
save. There - Now you are the President of the USA. If the US government
SMTP server permits relay by sender email address [I'm sure they don't],
you could relay your mail through there too, making it look even more
like you are legitimately sending from that address)

Relaying 'for' a domain means you accept mail that is addressed *to*
users in that domain.


On Tue, 28 Aug 2001, Odhiambo Washington wrote:

> Hello listers,
>
> I am a bit stuck with a situation that might be quite simple for the rest
> of you.
>
> I am hosting the domain "aapas.com" and so I do relay for it.
> There is a user from this domain who's travelled to the UK and he connects
> using AOL. He still has his MUA configured to use my server
> smtp.wananchi.com as his SMTP server but my server rejects his mail
> saying this (from rejectlog):
>
> 2001-08-23 12:07:46 refused relay (host) to <some@???>
> from <user@???> H=(wlori080) [172.188.137.254]
>
>
> Is there a way I can allow relay for some specific users (without
> involving AUTH)? Something like
>
> sender_accept_relay = lsearch;/some/file
>
> Forgive my stupidity ;-)
>
>
> -Wash
>
> --
> Odhiambo Washington
> Wananchi Online Ltd.,
> wash@??? 1st Flr Loita Hse.
> Tel: 254 2 313985 Loita Street.,
> Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE.
>
> If scientific reasoning were limited to the logical processes of arithmetic,
> we should not get very far in our understanding of the physical world. One
> might as well attempt to grasp the game of poker entirely by the use of the
> mathematics of probability.
> -Vannevar Bush
> (contributed by Chris Johnston)
>


--