Re: [Exim] Using two ports for traffic

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: Kevin Reed, Exim Users Mailing List
Sujet: Re: [Exim] Using two ports for traffic
On 2002-01-19 at 19:20 -0700, Kevin Reed wrote:
> Digging through the documents, it appears that I can do this with
> exim options like:
>
>     exim -bd -oX 8025 -C different_config_file


The different_config_file can use the daemon_smtp_port option, and then
you don't need the "-oX 8025" either.

> This would start an exim daemon on port 8025 using a different config
> file than what the currently running standard port one would be.
>
> Sounds simple enough...
>
> However, I seem to recall when I was looking for something else in
> the Exim archives, that there could be a problem with attempting to
> do it like this.
>
> I see where a lot of people have asked (normally for testing
> purposes) but I'd like to find out if someone is actively doing this.
> And what problems they may have run into.


It depends on what happens with the delivery; if the mail gets left in
the spool for a later queue-runner, then the queue-runner will use
whatever config _it_ was started with, not the config of the Exim which
dropped the mail into the spool.

If you use spool_directory to change the spool directory, then, as
documented for that option (Exim Spec, section 11), there can be
problems, depending upon how you configured logging.

I think that the consensus has been that if you want different configs,
which vary significantly (eg, different routers), then it's better to
do two builds.


Oh -- if you allow arbitrary IPs to use that port 8025 as a smarthost,
then be aware that spammers _will_ find it. We're currently seeing
spammers abuse open relays (latest MS IMS Exchange seems to be
defaulting to open relay, still :^( ), abusing open SOCKS proxies and
scanning for vulnerable formmail.pl scripts on our web-hosting servers
(Matt's Script Archive formmail.pl). That's just the "routine" stuff --
if something _can_ be abused to spam, it will be, and it will be coded
into some spamming tool. Spammers are now scanning blatantly, in ways
which are probably already illegal, for security holes (as opposed to
the "open service, access => authorisation" argument they promote).

So if this is just a different port to allow easy relaying, then forget
it. Put IP-based restrictions in, or use authenticated SMTP. Sorry,
but thank the spammers for making life so much harder for the world's
mailadmin.
--
Virus (n.):
Self-replicating, damaging software fragment, proving that if something
is stupid enough, but possible, someone will do it.