Re: [Exim] blocking forged sender addresses (exim v3)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Odhiambo G. Washington
Datum:  
To: exim-users
Betreff: Re: [Exim] blocking forged sender addresses (exim v3)
* Greg Ward <gward@???> [20020917 04:15]: wrote:
> On 16 September 2002, Adrian Bridgett said:
> > I'd like to restrict this so that it doesn't accept emails from the internet
> > with my domain (or localhost) as the sender. However I still want to accept
> > emails from internal machines with such sender addresses.
>
> Switch to Exim 4 and do it with an ACL statement. Here's how I do it:
>
>   deny    hosts   = !127.0.0.1 : !+relay_hosts
>           senders = mydomain.org
>           senders = !+allowed_local_addrs
>           message = forged sender address

>
> where allowed_local_addrs is a list of email addresses that *are*
> allowed to be claimed in MAIL FROM from any host, eg.
>
> addresslist allowed_local_addrs = user1@??? : user2@???
>
> Exim 4 is just *so* much more flexible.



Hello Greg,


Please allow me to chip in my input. This thread seems quite interesting.
I am rumming Exim-4.10 and would be so happy with your idea, because many
times I do receive e-mails from (myself) - wash@???, even though
I did not send them ;-)
Mostly I am left speechless as to how I can prevent someone masquerading
as me.

Your idea looks quite nice, until you have thousands on addresses, both real
system users and virtual accounts:

Maybe there is a better way out somewhere.

I was thinking along these two lines:

1. One can generate a list of all the local parts from the local passwd file
and do some lookup (lsearch/dbm) on that ..
I see a major problem here if you have virtual users/domains on this box.

2. Do some direct lookups on the passwd files that you have on the server - hmm,
/etc/passwd, mysql or the other files for virtual domains....
There is a sacrifice on this also because of those extra lookups..you may even
have to use some scripts, which portend even more resource sacrifices.

Actually, I'd be interested in knowing how others are dealing with this in an
ISP environment where you have thousands of local user accounts as well as
virtual users.



-Wash

--
Odhiambo Washington   <wash@???>  "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com      Windows 95, NT, or better,'
Tel: +254 2 313985-9  +254 2 313922         so I installed FreeBSD."
GSM: +254 72 743223   +254 733 744121       This sig is McQ!  :-)



Yesterday I was a dog.  Today I'm a dog.  Tomorrow I'll probably still
be a dog. Sigh!  There's so little hope for advancement.
        -- Snoopy