Author: Odhiambo Washington Date: To: Dave C. CC: Exim Users Subject: Re: [Exim] Relaying for a specified user
* Dave C. <djc@???> [20010828 18:36]: writing on the subject 'Re: [Exim] Relaying for a specified user' |
| If you do this, then ANYONE can claim to be that user (or a user in the
| domain, and relay mail through your server, forging that persons
| identity in the process.
|
| The problem with a setup like this is that there it doesnt verify that
| the sender really is the person/company you want to relay for.
|
| Sender relay checks should always be by IP address (which is *very*
| difficult to fake), or some sort of ID/password (eg, SMTP auth, or
| pop-before-smtp, where the pop session validates the ID/password) For
| roaming users, SMTP AUTH really is the best solution.
|
| Sender email address is just too easy to forge. (In fact, its laughably
| easy - you use MS Outlook express? Go in your Tools/Accounts/Properties,
| and enter 'president@???' in the 'email address' field, and
| save. There - Now you are the President of the USA. If the US government
| SMTP server permits relay by sender email address [I'm sure they don't],
| you could relay your mail through there too, making it look even more
| like you are legitimately sending from that address)
|
| Relaying 'for' a domain means you accept mail that is addressed *to*
| users in that domain.
This _thoroughly_ makes sense to me and that is why I am now going the
AUTH way.
Sort of good programming skills, now I believe that if the perms on the
master.passwd aren't gonna allow Exim to read it, then a small script
(let's call it auth) can help me out. All I need to get is a Makefile with
commands to extract the username:encryptedpasswd pair and update a file
which Exim will read, instead of the master.passwd
Everytime I add a new user to the system, I'll need to go into the dir
with the Makefile and type 'make' - a bit easy, yes?
|
|
| On Tue, 28 Aug 2001, Odhiambo Washington wrote:
|
| > Hello listers,
| >
| > I am a bit stuck with a situation that might be quite simple for the rest
| > of you.
| >
| > I am hosting the domain "aapas.com" and so I do relay for it.
| > There is a user from this domain who's travelled to the UK and he connects
| > using AOL. He still has his MUA configured to use my server
| > smtp.wananchi.com as his SMTP server but my server rejects his mail
| > saying this (from rejectlog):
| >
| > 2001-08-23 12:07:46 refused relay (host) to <some@???>
| > from <user@???> H=(wlori080) [172.188.137.254]
| >
| >
| > Is there a way I can allow relay for some specific users (without
| > involving AUTH)? Something like
| >
| > sender_accept_relay = lsearch;/some/file
| >
| > Forgive my stupidity ;-)
| >
| >
| > -Wash
| >
| > --
| > Odhiambo Washington
| > Wananchi Online Ltd.,
| > wash@??? 1st Flr Loita Hse.
| > Tel: 254 2 313985 Loita Street.,
| > Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE.
| >
| > If scientific reasoning were limited to the logical processes of arithmetic,
| > we should not get very far in our understanding of the physical world. One
| > might as well attempt to grasp the game of poker entirely by the use of the
| > mathematics of probability.
| > -Vannevar Bush
| > (contributed by Chris Johnston)
| >
|
| --
|
|
Beauty is a form of genius - is higher, indeed, than genius, as it needs no
explanation. It is of the great facts in the world like sunlight, or
springtime, or the reflection in dark water of that silver shell we call the
moon.
-Oscar Wilde