Re: [Exim] blocking forged sender addresses (exim v3)

Top Page
Delete this message
Reply to this message
Author: Greg Ward
Date:  
To: exim-users
Subject: Re: [Exim] blocking forged sender addresses (exim v3)
On 17 September 2002, Dr Andrew C Aitchison said:
> Do you not find that this blocks genuine messages which are sent from
> your system to an external address and then redirected back to you,
> eg by an alias at the far end, or through a mailing list (one which
> doesn't change the from address to something like mail-list-admin) ?


Yes, it did -- so I added another ACL statement to worm around that.
This is of course *totally* site-specific to python.org, so let me
explain the context:

  * mail.python.org exists mainly to serve mailing lists
  * a handful of people have personal @python.org addresses
    and use them
  * one of these people also has an address, call it user@???,
    that just forwards to his python.org address
  * user@??? is subscribed to (say) foo-list@???
  * so when foo-list sends mail to user@???,
    example.net's outgoing MTA turns around and presents the message
    right back to mail.python.org, with an envelope sender of
    foo-list-admin@???.


So, before my "forged sender address" ACL statement, I have a statement
to accept such traffic, roughly:

  accept  hosts   = mail.example.net
          senders = *-admin@??? : ^.*-bounces@python\.org
          domains = +local_domains
          verify  = sender
          verify  = recipient


Interesting points here:
  * the "*-admin" is for Mailman 2.0 lists, and ".*-bounces" is
    for Mailman 2.1 lists (there are some of each)
  * checking the domain and verifying sender and recipient is necessary
    because this "accept" is fairly early in my RCPT ACL -- it comes
    before anti-relaying, sender verification, and recipient
    verification.  So I have to duplicate those checks here to prevent
    being bamboozled by eg. an envelope sender bogus-admin@???


You really can have a lot of fun with ACLs...

        Greg
--
Greg Ward <gward@???>                         http://www.gerg.ca/
Outside of a dog, a book is man's best friend.
Inside of a dog, it's too dark to read.