RE: Exim 4.12
Hi,
I was wondering if someone could help me refine and tweak my exim.conf file
to prevent relaying "locally" to local domains/users..? I've discovered
that if someone (a spammer) knows one of the local domains on the machine,
if they setup their MTU and set the SMTP setting as one of the domains on
the machine, then they can successfully relay mail onto the system to any
domain/user on the box. My current config successfully blocks relaying onto
remote systems -but not to local domains if someone spoofs the SMTP into
thinking it's coming from a local domain on the machine, with mail
addressed to a local domain on the machine.. I have a "relaydomains" file;
hostlist relay_from_hosts = lsearch;/etc/exim/relaydomains
which should control/permit which domains on the box are permitted to
relay.. But since I don't provide SMTP services to my users (only via
webmail locally), the file is actually empty. But having a domain (or not
having a domain) listed inside the "relaydomains" file doesn't seem to
matter or prevent this from occurring. It seems as though the file is just
ignored completely, though the directive is the 3rd directive down from the
top, in the main section of the config file.
For example
domainA.com
domainB.com
Both domains reside on the same box and neither domain is listed inside the
"relaydomains" file. If I setup my MTU with an SMTP server as domainA.com
-then attempt to send mail to me@??? -the relaying is denied and the
mail won't be accepted by Exim.
-But- if I try to send mail to domainB.com (or any domain/user on the box),
then Exim will accept the message and relay the message onto the local
domain for delivery..
I'm sure this is a config setup issue, but I just haven't been able to
find/tweak what needs to be changed in order to prevent this from
occurring.. The system is also running Spam Assassin and AMaViS. Below is
a copy of my current exim.conf file -can anyone spot anything that might
need changed in my config setup that will help prevent this kind of relaying..?
Thanks in advance for any help and insight with this problem..
Best Regards,
--------------------------
# /etc/exim/exim.conf
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
# Please change the following for your FQDN.
primary_hostname = my.domain.com
domainlist local_domains = @ : lsearch;/etc/exim/localdomains
domainlist relay_to_domains =
hostlist relay_from_hosts = lsearch;/etc/exim/relaydomains
acl_smtp_rcpt = acl_check_rcpt
log_selector = \
+all_parents \
+received_sender \
+received_recipients \
+smtp_confirmation \
+smtp_syntax_error
allow_domain_literals = false
never_users = root:daemon:bin:sync:named
host_lookup = *
trusted_users = mail:amavis
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 30m
timeout_frozen_after = 3d
gecos_pattern = ^([^,:]*)
gecos_name = $1
freeze_tell = postmaster
auto_thaw = 1h
system_filter = /etc/exim/system-filter
message_body_visible = 5000
message_size_limit = 10M
smtp_accept_max = 2048
smtp_connect_backlog = 256
split_spool_directory
remote_max_parallel = 15
received_header_text = "Received: \
${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
{${if def:sender_ident {from ${sender_ident} }}\
${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
by ${primary_hostname} \
${if def:received_protocol {with ${received_protocol}}} \
(Exim ${version_number} #${compile_number} )\n\t\
id ${message_id}\
${if def:received_for {\n\tfor <$received_for>}}"
smtp_banner = "Welcome on our mail server!\n\
This system does not accept Unsolicited \
Commercial Email\nand will blacklist \
offenders via our spam processor.\nHave a \
nice day!\n\n${primary_hostname} ESMTP Exim \
${version_number} ${tod_full}"
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
acl_check_rcpt:
accept hosts = :
deny local_parts = ^.*[@%!/|]
accept local_parts = postmaster
domains = +local_domains
require verify = sender
deny message = host is listed in $dnslist_domain
dnslists = sbl.spamhaus.org : \
relays.ordb.org : \
opm.blitzed.org
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny senders = *@partial-dbm;/etc/exim/access.db : \
dbm;/etc/exim/access.db
deny message = unrouteable address
hosts = !127.0.0.1/8:0.0.0.0/0
!verify = recipient
deny message = relay not permitted
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
# Enable Anti-Virus support with AMaViS.
amavis_router:
driver = accept
condition = "${if or{ {eq {$received_protocol}{scanned-ok}} \
{eq {$received_protocol}{spam-scanned}} } {0}{1}}"
retry_use_local_part
transport = amavis
# Enable Anti-Spam support with SpamAssassin.
spamcheck_router:
no_verify
check_local_user
condition = "${if and { {!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}}} {1}{0}}"
driver = accept
transport = spamcheck
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
# Enable Virtual Hosts support.
virtual_domains:
driver = redirect
allow_defer
allow_fail
data =
${expand:${lookup{$local_part@$domain}dbm*@{/etc/exim/virtualdomains.db}}}
retry_use_local_part
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/exim/aliases}}
user = mail
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
modemask = 002
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
localuser:
driver = accept
check_local_user
transport = local_delivery
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
begin transports
remote_smtp:
driver = smtp
# Enable Maildir format support (HIGHLY recommended).
local_delivery:
driver = appendfile
check_string = ""
create_directory
delivery_date_add
directory = ${home}/Maildir/
directory_mode = 700
envelope_to_add
group = mail
maildir_format
maildir_tag = ,S=$message_size
message_prefix = ""
message_suffix = ""
mode = 0600
quota = 10M
quota_size_regex = S=(\d+)$
quota_warn_threshold = 75%
return_path_add
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
# Enable Anti-Spam support with SpamAssassin.
spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc
home_directory = "/tmp"
current_directory = "/tmp"
user = mail
group = mail
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =
# Enable Anti-Virus support with AMaViS.
amavis:
driver = pipe
check_string =
command = /usr/sbin/amavis -f <${sender_address}> -d ${pipe_addresses}
current_directory = "/var/spool/amavis"
escape_string =
group = amavis
headers_add = "X-Virus-Scanned: by AMaViS"
message_prefix =
message_suffix =
path = "/bin:/sbin:/usr/bin:/usr/sbin"
no_return_output
no_return_path_add
user = amavis
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
# AUTH PLAIN authentication method used by Netscape Messenger.
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
{crypteq{$3}{${extract{1}{:} \
{${lookup{$2}lsearch{/etc/exim/exim.auth} \
{$value}{*:*}}}}}}}{1}{0}}"
# AUTH LOGIN authentication method used by Outlook Express.
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
{crypteq{$2}{${extract{1}{:} \
{${lookup{$1}lsearch{/etc/exim/exim.auth} \
{$value}{*:*}}}}}}}{1}{0}}"
