Re: [Exim] rejecting mail to system accounts from outside

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Jeremy C. Reed
CC: exim-users
Subject: Re: [Exim] rejecting mail to system accounts from outside
Jeremy C. Reed wrote:
> Some spammers send mail to system accounts like sync or usenet (often with
> forged sender with local hostname).
>
> Also, in most situations, mail to "root" would only originate from an
> organization's own systems.
>
> Anyone want to share ideas for rejecting mail that originates from remote
> mailer that are sent to system accounts, like news or sync?
>
> I am thinking that I could just remove all these un-needed users and
> aliases, but then I would need to check for each OS upgrade.
>
> Or just /dev/null the mail. Or :fail: the mail.
>
> But, maybe someday some system cron job or other local tool will email to
> one of these accounts. So maybe I should use a filter or something to
> determine if the mail originated locally and then only accept it.
>
> What do you do?


Maybe an ACL-condition like this would help in your rcpt_acl

    deny message = "No external messages to $local_part allowed"
    hosts = ! +relay_hosts
         condition = "${if > {500} {${extract {2} {:} {${lookup
{$local_part} lsearch {/etc/passwd}}}}}{yes}{no}}"


relay_hosts is your hostlist with hosts allowed to relay (must include
localhost)
the condition looks up the UID of the user and compares it with 500, if
the uid is smaller than 500 the mail will be rejected

This works, as long as all your system-accounts are bellow UID 500.

ciao