Hi all!
> Abusing me off-list will not assist in solving your problem.
Tim... abusing me... please... my reply was for you, not for the list, I can't see why I should bother the list only to tell you that you could be less harsh.
I apologige for my lack of experience. It is not my will to help creating spam... A want to ensure all of you that my server has been secured BEFORE posting to this list. After realizing the problem, I immediately limited relay to my local network. This way my server is not a danger any more. But after this, I tried to find some solutions. One of them was the ACL quetion I posted. In reality I only needed to clarify some doubts.
Probably I will be the 94821834186247th user asking for help in making SMTP Auth work. I apologige also for this.
I'd like to have my server accept only authenticated connections. At the moment it is not. In fact I can use both methods (authenticated or not). It seems that my Exim accept both methods prefering the non authenticated one.
> Send your authenticator config and relevant ACLs to the list, explain
> exactly what the problem is (can people relay without authentication, or
> are you just saying that once they've sent their password once, they can
> send further mails from their mail client in the same session without
> re-authenticating?) and I will personally help you if at all possible.
Tim, first one is the problem... they can relay without or with authentication... nothing on the server compells client to authenticate. If they do it, well. If they don't do it, well the same. The message leaves anyway.
> > Using ACL is the only way I found to try to protect my server...
>
> In that case, you need to close it down until you have got SMTP AUTH
> working. The point is that your method will only give the *illusion* of
> protection; it will not stop people being able to send spam through your
> server.
This is exactly what I wanted to know...
Here follows my Configure file. Thanks to all who will help me!
Lukas
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
hide mysql_servers = localhost/server_mail/root/mysqlpw
primary_hostname = mail.spirit.it
domainlist local_domains = \
${lookup mysql {SELECT domain FROM domains \
WHERE type="local" and domain="${domain}" }}
domainlist relay_to_domains = \
${lookup mysql {SELECT domain FROM domains \
WHERE type="relay" }}
hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8 : 151.38.133.230
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 10s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
message_size_limit = 20M
bounce_return_message = false
# return_size_limit = 50K
system_filter = /usr/local/exim/system_filter.exim
smtp_banner = $primary_hostname ESMTP Exim $version_number $tod_full
acl_smtp_auth = acl_check_auth
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
auth_advertise_hosts = *
#tls_advertise_hosts = *
MAILMAN_HOME=/usr/local/mailman
MAILMAN_WRAP=MAILMAN_HOME/mail/mailman
MAILMAN_USER=mailman
MAILMAN_GROUP=1
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
acl_check_auth:
accept encrypted = *
accept condition = ${if eq{${uc:$smtp_command_argument}}\
{LOGIN}{yes}{no}}
deny message = TLS encryption or CRAM-MD5 required
acl_check_rcpt:
accept hosts = :
deny local_parts = ^.*[@%!/|] : ^\\.
deny senders = ${lookup mysql{SELECT sender FROM deny_sender \
WHERE '$sender_address' rlike sender} {$sender_address}}
message = We don't want mail from: $sender_address
deny hosts = net-lsearch;/usr/local/exim/reject-hosts.txt : \
net24-lsearch;/usr/local/exim/reject-hosts.txt
message = Connection denied for: $sender_host_address
drop message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
condition = ${if = {${eval:$rcpt_fail_count}}{1}{yes}{no}}
accept local_parts = postmaster
domains = local_domains
verify = recipient
require verify = sender
accept domains = local_domains
endpass
message = Unknown user.
verify = recipient
accept domains = relay_to_domains
endpass
message = Unrouteable address.
verify = recipient
accept hosts = relay_from_hosts
accept authenticated = *
deny message = Authentication required - Relay not permitted.
acl_check_data:
deny sender_domains = aol.com
message = X-Forgery: NOT AOL MAILER
condition = ${if match {${lc:$h_X-Mailer:}} {a(?:ol|tlas)} {no}{yes}}
accept senders = !:
message = A valid sender header is required!
verify = header_sender
deny !condition = $header_X-WhitelistedRCPT-nohdrfromcallback:
!verify = header_sender/callout=90s
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
dnslookup:
driver = dnslookup
domains = ! local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
mailman_router:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces * : \
-confirm * : -join : -leave : \
-owner : -request : -admin
transport = mailman_transport
mysql_sys_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup mysql {SELECT dest FROM aliases \
WHERE email='${local_part}' AND type="system"}}
mysql_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup mysql {SELECT dest FROM aliases \
WHERE email='${local_part}@${domain}' AND type="site"}}
mysql_user:
driver = accept
condition = ${if eq{} {${lookup mysql {SELECT home FROM passwd \
WHERE id='${local_part}@${domain}'}}} {no}{yes}}
retry_use_local_part
transport=mysql_delivery
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
begin transports
remote_smtp:
driver = smtp
mysql_delivery:
driver = appendfile
maildir_format
directory = \
/var/mail/${lookup mysql{SELECT maildir \
FROM passwd WHERE id='${local_part}@${domain}'}}
delivery_date_add
#envelope_to_add = true
#return_path_add = true
maildir_tag = ,S=$message_size
quota = \
"${lookup mysql{SELECT quota FROM passwd WHERE \
user = '$local_part' AND domain = '$domain'}{${value}M}}"
quota_is_inclusive = false
quota_size_regex = S=(\d ):
quota_warn_threshold = 75%
quota_warn_message = "\
To: $local_part@$domain\n\
Subject: Mailbox quota warning\n\n\
This message was automatically generated by the mail delivery software.\n\n\
You are now using over 75% of your allocated mail storage quota.\n\n\
If your mailbox fills completely, further incoming messages will be automatically\n\
returned to their senders.\n\n\
Please take note of this and remove unwanted mail from your mailbox.\n"
user = 1100
group = 1100
# headers_add
# message_prefix
# mode
mailman_transport:
driver = pipe
command = MAILMAN_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w )(\\ .*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Domain Error Retries
# ------ ----- -------
* quota
* * F,2h,10m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
#fixed_plain:
# driver = plaintext
# public_name = PLAIN
# server_condition = \
# ${lookup mysql{SELECT if(count(*), "1", "0") \
# FROM passwd WHERE id = '${quote_mysql:$2}' and \
# clear = '${quote_mysql:$3}'}}
# server_set_id = $2
#cram_md5:
# driver = cram_md5
# public_name = CRAM-MD5
# server_secret = \
# ${lookup mysql{SELECT clear FROM passwd \
# WHERE id='$1'}{$value}fail}
# server_set_id = $1
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = \
${lookup mysql{SELECT if(count(*), "1", "0") \
FROM passwd WHERE id = '${quote_mysql:$1}' and \
clear = '${quote_mysql:$2}'}}
server_set_id = $1
#login:
# driver=plaintext
# public_name = LOGIN
# server_condition = ${if eq{$2} {${lookup mysql{SELECT clear FROM passwd \
# WHERE id ='${local_part:$1}'}}}{1}{0}}
# server_prompts = "Username:: : Password::"
# server_set_id = $1
#plain:
# driver=plaintext
# public_name = PLAIN
# server_condition = ${if eq{$2} {${lookup mysql{SELECT clear FROM passwd \
# WHERE id ='${local_part:$1}'}}}{1}{0}}
# server_prompts = "Login::"
# server_set_id = $1
# End of Exim configuration file
