Re: [Exim] Using ACL to block spaam... possible?

On Sat, 22 Mar 2003 17:24:37 +0100 Lukas wrote (off-list):

Abusing me off-list will not assist in solving your problem.

> you are a real boor!

That may be, but many of us who are bombarded with spam also find it
boring that time and time again certain people decide that they are going
to run open relays and justify it by saying they "cannot use SMTP AUTH".

I understand that you may have good intentions, but if you look back at
the archives I am sure you will see that history repeats itself again and
again with people trying to "authenticate" clients based solely on the
e-mail address they are sending it from. You will find explained in many
places (not least my previous post) why this is a bad idea.

> I am not an expert and I wrote I needed an answer from someone more
> expert than what I am but if this is the result... damn... I am
> disgusted.

As you will see if you re-read my original message, I am well aware that
the tone was harsh, but I hope you will also read that I and others ARE
prepared to help you, but only if you are willing to go some way towards
helping yourself.

There are documented examples both in the Exim spec and in the mailing
list archives of how to use SMTP AUTH. If, after reading these, you still
have problems then by all means explain the problem and you are likely to
get help.

However, in the meantime, if you cannot secure your server, then please be
responsible and close it down temporarily.

> I am looking for help with something I cannot understand myself... my
> english is not so good (I am italian), and my knowledge of the
> Unix world is not so deep.

It's neither language difficulties nor your knowledge of the "Unix" world
that is the problem; the main question you asked was quite honestly
meaningless. That's not an insult, just a statement of fact.

To run a mailserver, you are generally expected to have at least a basic
knowledge of how things (primarily SMTP) work. If you don't have that,
there are plenty of ways to learn quite easily including, I'm sure, in
Italian. I hope you will understand in the meantime that it can be
difficult to explain to you what the problem is if you are missing vital
basic knowledge.

> It is not my fault if I have to work on these thinghs

That may be, but it's also not our fault that you set yourself up as an
open relay, and we do expect at least some responsibility and basic
knowledge from you if you are asking for our time in helping you.
Moreover, you indicated that you KNOW you are an open relay but are not
prepared to fix it properly. In fact, as far as I can tell, you are STILL
running an open relay. The least you could do would be to shut your
mailserver down until you can fix it.

I explained in my last post why using ACLs (at least in the way you did)
is not the solution to this problem. Did you understand that?

Also, do you understand the basics of SMTP and why a "remote server"
trying to relay spam and a "remote client" are exactly the same without
some kind of authentication? It was not apparent from your last post that
you did, and if you don't then it will be difficult to help you with this
problem, since we need to have some kind of base level on which we can
communicate.

> I am trying to make my little server the more secure I can but after
> three days of tests and searches I still can't get SMTP Auth working!

Now, that's a different question altogether. If you have a specific
problem with SMTP AUTH, then by all means ask for help, preferably after
giving the documentation at least a cursory glance. But the solution is
not to ignore it and try to come up with some other, silly, solution. As I
explained in my last e-mail, your ACL solution is bad because it will let
spammers send mail by sending mail using the e-mail address of one of your
clients.

> I cannot understand why SMTP Auth seems to work and then my clients
> continue to succesfully send mail without needing to pass
> authentication. Can you tell me why?

If you explain in more detail, and provide some logs and config file
snippets to demonstrate, hopefully so.

Send your authenticator config and relevant ACLs to the list, explain
exactly what the problem is (can people relay without authentication, or
are you just saying that once they've sent their password once, they can
send further mails from their mail client in the same session without
re-authenticating?) and I will personally help you if at all possible.

> Using ACL is the only way I found to try to protect my server...

In that case, you need to close it down until you have got SMTP AUTH
working. The point is that your method will only give the *illusion* of
protection; it will not stop people being able to send spam through your
server.

> Thanx a lot for your bad character... I am not the trash where you can
> throw it... This was my first message to this list.... what a
> delusion...

Can I remind you of something: this is YOUR problem, that YOU created.
Whilst there are plenty of us who are willing to help, such melodramatics
only serve to make you look unprofessional, and will not encourage others
to help you solve your problem.


Remember that although we are willing to spend time, for free, giving you
advice, you can only expect, I'm afraid, to get short shrift when you
knowingly run an open relay server and don't even shut it down while you
fix it. Saying "It is not my fault" and "I can't use SMTP AUTH" are not
constructive, and are phrases likely to provoke a reaction - if you have
been searching the archives, you will understand why.


Please reconsider what it is you need to know, ensure you have a grasp of
at least the very basics of SMTP, and feel free to ask away. Again, I will
personally do my best to help.



Tim