[Exim] SMTP Spoofing - Preventing Local Relaying

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Mail List
Dátum:  
Címzett: exim-users
Tárgy: [Exim] SMTP Spoofing - Preventing Local Relaying
RE: Exim 4.12

Hi,

I was wondering if someone could help me refine and tweak my exim.conf file
to prevent relaying "locally" to local domains/users..? I've discovered
that if someone (a spammer) knows one of the local domains on the machine,
if they setup their MTU and set the SMTP setting as one of the domains on
the machine, then they can successfully relay mail onto the system to any
domain/user on the box. My current config successfully blocks relaying onto
remote systems -but not to local domains if someone spoofs the SMTP into
thinking it's coming from a local domain on the machine, with mail
addressed to a local domain on the machine.. I have a "relaydomains" file;

hostlist relay_from_hosts = lsearch;/etc/exim/relaydomains

which should control/permit which domains on the box are permitted to
relay.. But since I don't provide SMTP services to my users (only via
webmail locally), the file is actually empty. But having a domain (or not
having a domain) listed inside the "relaydomains" file doesn't seem to
matter or prevent this from occurring. It seems as though the file is just
ignored completely, though the directive is the 3rd directive down from the
top, in the main section of the config file.

For example

domainA.com
domainB.com

Both domains reside on the same box and neither domain is listed inside the
"relaydomains" file. If I setup my MTU with an SMTP server as domainA.com
-then attempt to send mail to me@??? -the relaying is denied and the
mail won't be accepted by Exim.

-But- if I try to send mail to domainB.com (or any domain/user on the box),
then Exim will accept the message and relay the message onto the local
domain for delivery..

I'm sure this is a config setup issue, but I just haven't been able to
find/tweak what needs to be changed in order to prevent this from
occurring.. The system is also running Spam Assassin and AMaViS. Below is
a copy of my current exim.conf file -can anyone spot anything that might
need changed in my config setup that will help prevent this kind of relaying..?

Thanks in advance for any help and insight with this problem..

Best Regards,

--------------------------

# /etc/exim/exim.conf

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


# Please change the following for your FQDN.
primary_hostname = my.domain.com

domainlist local_domains = @ : lsearch;/etc/exim/localdomains
domainlist relay_to_domains =
hostlist relay_from_hosts = lsearch;/etc/exim/relaydomains

acl_smtp_rcpt = acl_check_rcpt

log_selector =  \
         +all_parents \
         +received_sender \
         +received_recipients \
         +smtp_confirmation \
         +smtp_syntax_error


allow_domain_literals = false
never_users = root:daemon:bin:sync:named
host_lookup = *
trusted_users = mail:amavis
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 30m
timeout_frozen_after = 3d
gecos_pattern = ^([^,:]*)
gecos_name = $1
freeze_tell = postmaster
auto_thaw = 1h
system_filter = /etc/exim/system-filter
message_body_visible = 5000
message_size_limit = 10M
smtp_accept_max = 2048
smtp_connect_backlog = 256
split_spool_directory
remote_max_parallel = 15

received_header_text = "Received: \
         ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
         {${if def:sender_ident {from ${sender_ident} }}\
         ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
         by ${primary_hostname} \
         ${if def:received_protocol {with ${received_protocol}}} \
         (Exim ${version_number} #${compile_number} )\n\t\
         id ${message_id}\
         ${if def:received_for {\n\tfor <$received_for>}}"


smtp_banner = "Welcome on our mail server!\n\
         This system does not accept Unsolicited \
         Commercial Email\nand will blacklist \
         offenders via our spam processor.\nHave a \
         nice day!\n\n${primary_hostname} ESMTP Exim \
         ${version_number} ${tod_full}"


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl

acl_check_rcpt:
accept hosts = :

   deny    local_parts    = ^.*[@%!/|]


   accept  local_parts    = postmaster
           domains        = +local_domains


   require verify         = sender


   deny    message        = host is listed in $dnslist_domain
           dnslists       = sbl.spamhaus.org : \
                            relays.ordb.org : \
                            opm.blitzed.org


   accept  domains        = +local_domains
           endpass
           message        = unknown user
           verify         = recipient


   accept  domains        = +relay_to_domains
           endpass
           message        = unrouteable address
           verify         = recipient


   accept  hosts          = +relay_from_hosts


accept authenticated = *

   deny    senders        = *@partial-dbm;/etc/exim/access.db : \
                            dbm;/etc/exim/access.db


   deny    message        = unrouteable address
           hosts          = !127.0.0.1/8:0.0.0.0/0
          !verify         = recipient


   deny    message        = relay not permitted


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################


begin routers

# Enable Anti-Virus support with AMaViS.
amavis_router:
driver = accept
condition = "${if or{ {eq {$received_protocol}{scanned-ok}} \
{eq {$received_protocol}{spam-scanned}} } {0}{1}}"
retry_use_local_part
transport = amavis

# Enable Anti-Spam support with SpamAssassin.
spamcheck_router:
no_verify
check_local_user
condition = "${if and { {!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}}} {1}{0}}"
driver = accept
transport = spamcheck

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

# Enable Virtual Hosts support.
virtual_domains:
driver = redirect
allow_defer
allow_fail
data =
${expand:${lookup{$local_part@$domain}dbm*@{/etc/exim/virtualdomains.db}}}
retry_use_local_part

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/exim/aliases}}
user = mail
file_transport = address_file
pipe_transport = address_pipe

userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
modemask = 002
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
transport = local_delivery

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################


begin transports

remote_smtp:
driver = smtp

# Enable Maildir format support (HIGHLY recommended).
local_delivery:
driver = appendfile
check_string = ""
create_directory
delivery_date_add
directory = ${home}/Maildir/
directory_mode = 700
envelope_to_add
group = mail
maildir_format
maildir_tag = ,S=$message_size
message_prefix = ""
message_suffix = ""
mode = 0600
quota = 10M
quota_size_regex = S=(\d+)$
quota_warn_threshold = 75%
return_path_add

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

# Enable Anti-Spam support with SpamAssassin.
spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc
home_directory = "/tmp"
current_directory = "/tmp"
user = mail
group = mail
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =

# Enable Anti-Virus support with AMaViS.
amavis:
driver = pipe
check_string =
command = /usr/sbin/amavis -f <${sender_address}> -d ${pipe_addresses}
current_directory = "/var/spool/amavis"
escape_string =
group = amavis
headers_add = "X-Virus-Scanned: by AMaViS"
message_prefix =
message_suffix =
path = "/bin:/sbin:/usr/bin:/usr/sbin"
no_return_output
no_return_path_add
user = amavis

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

# Domain               Error       Retries
# ------               -----       -------


*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


begin rewrite

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


begin authenticators

# AUTH PLAIN authentication method used by Netscape Messenger.
plain:
   driver = plaintext
   public_name = PLAIN
   server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
         {crypteq{$3}{${extract{1}{:} \
         {${lookup{$2}lsearch{/etc/exim/exim.auth} \
         {$value}{*:*}}}}}}}{1}{0}}"


# AUTH LOGIN authentication method used by Outlook Express.
login:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
         {crypteq{$2}{${extract{1}{:} \
         {${lookup{$1}lsearch{/etc/exim/exim.auth} \
         {$value}{*:*}}}}}}}{1}{0}}"