Re: [Exim] SMTP Spoofing - Preventing Local Relaying

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Mail List
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [Exim] SMTP Spoofing - Preventing Local Relaying
Hi,

Thanks for your reply.

>>then they can successfully relay mail onto the system to any
>>domain/user on the box.
>
>that's local delivery, not third party relaying, no need to "set MTU" or
>anything.
>you'll have to block by IP.


But how would you block by IP from anyone/everyone on the Internet?

I don't think I explained the problem well, it's not easy to describe..

Basically there should be no user/domain (besides local) with SMTP access
-and then SMTP is only needed for the Squirrel Web-Mail service.. I
require my end-users to use their ISP for SMTP services, relaying through
their domain name is not a service I provide (because of past abuse)..

But my problem is, if someone knows of two domains housed on the box
(domainA and domainB), then they can setup an MTU client and list
domainA.com as the SMTP server; then my mail server will act as the SMTP
server for domainA.com and it'll accept mail from the MTU and pass it off
to domainB.com -or any other domain on the box if they have the name of any
of the domains housed on the machine.. You don't even need a valid
userid/password from domainA.com to have the mail server accept the mail...

Here's another look at the issue:

For example as I try this from my Outlook client..

I setup Outlook with the following:

POP3:   domainA.com
SMTP:   domainA.com
ID:     any-user-name
Pass:   any-password


The ID/password fields don't matter -no matter what you put there the mail
server will still accept mail and act as the SMTP server for domainA.com..

Now under /etc/exim/ I have a file named "relaydomains" -which is where I
should list any local domain which is permitted to relay (but I keep the
file blank since I don't permit my customers SMTP relaying services).. So
inside the "relaydomains" file the domainA.com doesn't even exist.. It's
been completely removed.

Now with that account info if you try and send a message to a remote
server, like for example mail to my yahoo account - me@??? -then the
mail server will block the relay attempt and tell you "relaying denied"..

--But-- if you try and send mail to another domain/user on the server
housing domainA.com, then exim will accept the connection and hand-off the
message.. For example if you try and send from the above "domainA.com"
account, and send a message to "admin@???" (or to any domain/user
on the server), then the mail server will accept and deliver the mail.. In
the maillog, you'll see this message from such an attempt:

Feb 26 21:22:01 exim[1609]: 2003-02-26 21:22:01 Authentication failed for
dhcpxxx-xxx-xxx-xxx.rr.com (owksu-j28xloafc.domainA.com) [24.xxx.xxx.xxx]:
535 Incorrect authentication data

(the 24.xxx.xxx.xxx is my RR connection to the net)

But that's just a warning in the log, even though it reports "Incorrect
authentication data" -the mail server will still accept/deliver the message
using domainA.com as the SMTP server from the MTU..

This isn't the way it's suppose to work correct..? I'm just having a hard
time explaining what's going on here, but I'm fairly sure it shouldn't be
doing what it's doing.. :-)

Thanks again for any help or insight..

Best Regards,