Re: [Exim] Exim a Open Relay ?

Top Page
Delete this message
Reply to this message
Author: Glen Mehn
Date:  
To: exim-users
Subject: Re: [Exim] Exim a Open Relay ?
Reinhard Travnicek wrote:

>Hello !
>
>I am using a server with exim as a firewall front end.
>Exim is configured to accept mail only for mydomain.com
>All the mails matching @mydomain.com are then handed to a internal mail
>server.
>
>Unfortunately someone figured out the exim doesn't handle
>Email to: user%otherdom.com@??? correct
>
>If the sender is faked to relaytest@??? and the receipient is
>user%otherdom.com@??? the mail is forwarded to the internal server.
>
>The internal server (not doing any relay checking at all) just sends the
>mail out to user%otherdom.com with a sender relaytest@???
>
>Is there a way ? Maybe a filter to stop a message already on the Exim ?
>
>TX for your help
>
>


Youmay want to look at the documentation for 'percent hack domains':
################

>percent_hack_domains <http://www.exim.org/exim-html-3.30/doc/html/spec_toc.html#TOC296>
>

Type: domain list
Default: unset

The `percent hack' is the convention whereby a local part containing a
percent sign is re-interpreted as a remote address, with the percent
replaced by @. This is sometimes called `source routing', though that
term is also applied to RFC 822 addresses that begin with an @
character. If this option is set, Exim implements the percent facility
for those local domains listed, but no others. The option can be set to
`*' to allow the percent hack for all local domains.

If options are set to control message relaying from incoming SMTP
envelopes, they are also applied to relaying that is requested via the
`percent hack'. See section 46.4.

################
But it sounds like you dont' have your relay controls setup properly--
if your internal mail server is an open relay, and (it sounds like) exim
is sending all mail to your internal server, which is relaying it out.

I *think* that what you want to do is set

percent_hack_domains = mydomain.com

which will cause exim to:

Addresses of the form /"x%y"@z/ are treated in the same way, unless the
`percent hack' has been enabled by setting /percent_hack_domains/. In
this case, the new address (constructed from the local part by changing
the % to an @) is treated as an incoming address, and its domain is
re-tested to ensure that it complies with any relaying restrictions.

glen