[Exim] my server is used as an open relay, need help

Top Page
Delete this message
Reply to this message
Author: volker
Date:  
To: v.augustin, exim-users
Subject: [Exim] my server is used as an open relay, need help
This is a multi-part message in MIME format.
--
hi out there,
i need some help with my configuration of exim 4,
i checked the internet, but now im more confused than before...
im an absolut beginner in mail... working nights on compiling exim4 and
set up a working configuration with exim4 and postgres and
courier-imap... its working now! (be very happy :))

but now my problem is... my server was ...or is still used as an open
relay, and i see the spam in the logfile... can anybody help me how to
setup acl or authentication that denies relying over my smtp-host? im
hosting some domains on it, and have some mx-entrys to a fixed ip...(i
got five ips and exim is working fine with just one of it :)
ok what i want to do is checking the sender against his helo_name
($sender_helo_name) listed in my domaintable in the postgres database...
authentication with smtp is working fine with this conditions.. but i
dont know exactly how acl works....
can anybody help me? could send me a sample acl?
that would be greatful :)

especially i got the problem that most parts of exim4-spec is using
invalid syntax... and unknown keywords (? i tried out but still errors
with most of them)

i appended my exim4-config to the mail, i will try, whis is my first
posting to the list....

...working hard ...
volker


--
#### etc/configure for exim4 #####

###make connection to postgres
hide pgsql_servers = localhost::PORT/DATABASE/USER/PASSWD

#i dont need this, i think so :), my default hostname is fine :)
#primary_hostname = tomcat.mydomain.de

####looking up my domains in a postgres database... yeah i need 5 days till i know how to do so....
domainlist local_domains = @:${lookup pgsql{SELECT domain FROM domain WHERE aktiv=1 and localdomain=0}{$value}fail}

domainlist relay_to_domains = *
hostlist relay_from_hosts = 127.0.0.1

acl_smtp_rcpt = acl_check_rcpt

###thats cool.... lol
#host_reject_connection = *

# qualify_domain =
# qualify_recipient =
# allow_domain_literals

###has no effect....:
tls_certificate = /home/Exim/etc/ca.crt
tls_privatekey = /home/Exim/etc/ca.key
tls_verify_hosts = *

###doesnt work for exim4! hmpf!!!
#tls_verify_ciphers = DES-CB3-SHA:IDEA-CBC-MD5
#auth_over_tls_hosts = *

never_users = root

host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 30s

# sender_unqualified_hosts =
# recipient_unqualified_hosts =
# percent_hack_domains =

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d

######ACL#######
begin acl

acl_check_rcpt:

####oh oh what does all this mean? i figured out some conditions ... , they are working....hmmmm, but i dont know exactly what they will really do....(???????)
# trying to verify sender and set up a condition, but relaying is still possible :((
  accept  hosts = :
  deny    local_parts   = ^.*[@%!/|]
  require condition = "${if and { \
                        {!eq{$sender_helo_name}{}} \
                        {!eq{$domain}{}} \
                        {eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
                        } {yes}{no}}"


  accept  local_parts   = postmaster
          domains       = +local_domains
  require verify        = sender



# trying to verify sender and set up a condition, but relaying is still possible :((
  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = sender : recipient
   require condition = "${if and { \
                        {!eq{$sender_helo_name}{}} \
                        {!eq{$domain}{}} \
                        {eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
                        } {yes}{no}}"




# trying to verify sender and set up a condition, but relaying is still possible :((
 accept  domains       = +relay_to_domains
 require condition = "${if and { \
                        {!eq{$sender_helo_name}{}} \
                        {!eq{$domain}{}} \
                        {eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
                        } {yes}{no}}"
#         endpass
          message       = unrouteable address
          verify        = recipient : sender


#hmmmm... is this my problem , i try all my acl with auth-smtp with netscape, but in the logfiles i see a lot of relaying mails
accept authenticated = *

# trying to verify sender and set up a condition, but relaying is still possible :((
  accept  hosts         = +relay_from_hosts
#         senders = mydomain@anotherhostwithanothersmtp\.de
# require condition = "${if and { \
#                       {!eq{$sender_helo_name}{}} \
#                       {!eq{$domain}{}} \
#                       {eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
#                       } {yes}{no}}"
  deny    message       = relay not permitted




########ROUTERS########
begin routers

###the system aliases....it seems that i should not delete this section? hmmm....
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = exim
file_transport = address_file
pipe_transport = address_pipe

####disabled for now!
#userforward:
# driver = redirect
# check_local_user
# file = $home/.forward
# no_verify
# no_expn
# check_ancestor
## allow_filter
# file_transport = address_file
# pipe_transport = address_pipe
# reply_transport = address_reply

###for local-users with shell account
localuser:
driver = accept
domains = @
check_local_user
transport = local_delivery

###ok , working fine, im looking for local domains with a registered mailbox account in the database
virtual_known_local_user:
    driver = accept
    domains = ${lookup pgsql {select domain from domain where domain='$domain' and id=(select domain_id from account where name='$local_part' and domain_id=(select id from domain where domain='$domain' and aktiv=1 and localdomain=0)and aktiv=1 and is_alias=0) and aktiv=1 and localdomain=0}{$value}fail}
    transport = virtual_delivery



###this is working fine if the rcpt is to a local domain, but not in the database now...
######this is only because im just figuring out how to manage aliases with postgres ;)
virtual_local_user:
    driver = accept
    domains = ${lookup pgsql {select domain from domain where domain='$domain' and aktiv=1 and localdomain=0 limit 1}{$value}fail}
    transport = virtual_delivery


###i think thats ok
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more


#######TRANSPORTS########
begin transports
remote_smtp:
  driver = smtp
    ###do i need some acls here?
    ###what the hell is the syntax for exim 4??????


#mail for local users delivered into a maildir
local_delivery:
    driver = appendfile
    create_directory = true
    directory_mode = 700
    directory = /home/2nd/spool/Maildir/.localhost/${local_part}/
    user = exim
    group = $local_part
    maildir_format
    mode = 0660
    delivery_date_add
    envelope_to_add
    return_path_add


virtual_delivery:
    driver = appendfile
    create_directory = true
    directory_mode = 700
    directory = /home/2nd/spool/Maildir/.virtual/${domain}/${local_part}/
    user = exim
    group = exim
    maildir_format
    mode = 0660
    delivery_date_add
    envelope_to_add
    return_path_add


address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.

# Domain               Error       Retries
# ------               -----       -------


*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h




######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


# There are no rewriting specifications in this default configuration file.

begin rewrite
#no rewrites for now....


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


# There are no authenticator specifications in this default configuration file.

begin authenticators

###this fixed plaintext-authentication is working fine with netscape :)
#plain_fixed:
#    driver = plaintext
#    public_name = PLAIN
#    client_send = \
#       "^username^password"
#    server_condition = \
#       ${if and {{eq{$2}{send}}{eq{$3}{mail}}}{yes}{no}}


###this postgres-based plaintext-authentication is working fine with netscape :)
db_plain_auth:
    driver = plaintext
    public_name = PLAIN
    client_send = \
        "^username^password"


   server_condition = "${if and { \
                        {!eq{$2}{}} \
                        {!eq{$3}{}} \
                        {eq{$3}{${lookup pgsql{SELECT passwd FROM account WHERE account='$2' limit 1}{$value}fail}}} \
                        } {yes}{no}}"



### i didnt test the md5-section , just write it in
md5_fixed:
    driver = cram_md5
    public_name = CRAM-MD5
        #here i am using 'send' and 'mail' as user and password ;-)
    client_name = "send"
    client_secret = "mail"


### i didnt test the login-section
login_fixed:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "User Name : Password"
    client_send = \
        "^username^password"
        #here i am using 'send' and 'mail' as user and password ;-)
    server_condition = \
        ${if and {{eq{$1}{send}}{eq{$2}{mail}}}{yes}{no}}




# End of Exim configuration file
--