Re: [Exim] Using ACL to block spaam... possible?

Top Page
Delete this message
Reply to this message
Author: Lukas
Date:  
To: exim-users
Subject: Re: [Exim] Using ACL to block spaam... possible?
Hi all!

> Abusing me off-list will not assist in solving your problem.


Tim... abusing me... please... my reply was for you, not for the list, I can't see why I should bother the list only to tell you that you could be less harsh.

I apologige for my lack of experience. It is not my will to help creating spam... A want to ensure all of you that my server has been secured BEFORE posting to this list. After realizing the problem, I immediately limited relay to my local network. This way my server is not a danger any more. But after this, I tried to find some solutions. One of them was the ACL quetion I posted. In reality I only needed to clarify some doubts.

Probably I will be the 94821834186247th user asking for help in making SMTP Auth work. I apologige also for this.

I'd like to have my server accept only authenticated connections. At the moment it is not. In fact I can use both methods (authenticated or not). It seems that my Exim accept both methods prefering the non authenticated one.

> Send your authenticator config and relevant ACLs to the list, explain
> exactly what the problem is (can people relay without authentication, or
> are you just saying that once they've sent their password once, they can
> send further mails from their mail client in the same session without
> re-authenticating?) and I will personally help you if at all possible.


Tim, first one is the problem... they can relay without or with authentication... nothing on the server compells client to authenticate. If they do it, well. If they don't do it, well the same. The message leaves anyway.


> > Using ACL is the only way I found to try to protect my server...
>
> In that case, you need to close it down until you have got SMTP AUTH
> working. The point is that your method will only give the *illusion* of
> protection; it will not stop people being able to send spam through your
> server.


This is exactly what I wanted to know...

Here follows my Configure file. Thanks to all who will help me!

Lukas

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


hide mysql_servers = localhost/server_mail/root/mysqlpw

primary_hostname = mail.spirit.it

domainlist local_domains      = \
        ${lookup mysql {SELECT domain FROM domains \
        WHERE type="local" and domain="${domain}" }}


domainlist relay_to_domains = \
       ${lookup mysql {SELECT domain FROM domains \
        WHERE type="relay" }}


hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8 : 151.38.133.230

never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 10s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
message_size_limit = 20M
bounce_return_message = false
# return_size_limit = 50K

system_filter = /usr/local/exim/system_filter.exim

smtp_banner = $primary_hostname ESMTP Exim $version_number $tod_full

acl_smtp_auth = acl_check_auth
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

auth_advertise_hosts = *

#tls_advertise_hosts = *

MAILMAN_HOME=/usr/local/mailman
MAILMAN_WRAP=MAILMAN_HOME/mail/mailman

MAILMAN_USER=mailman
MAILMAN_GROUP=1


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl


acl_check_auth:
  accept encrypted = *
  accept condition = ${if eq{${uc:$smtp_command_argument}}\
                       {LOGIN}{yes}{no}}
  deny   message   = TLS encryption or CRAM-MD5 required




acl_check_rcpt:

  accept  hosts          = :
  deny    local_parts    = ^.*[@%!/|] : ^\\.



  deny    senders        = ${lookup mysql{SELECT sender FROM deny_sender \
                           WHERE '$sender_address' rlike sender} {$sender_address}}
          message        = We don't want mail from: $sender_address


  deny    hosts          = net-lsearch;/usr/local/exim/reject-hosts.txt : \
                           net24-lsearch;/usr/local/exim/reject-hosts.txt
          message        = Connection denied for: $sender_host_address


  drop    message        = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
          condition      = ${if = {${eval:$rcpt_fail_count}}{1}{yes}{no}}



  accept  local_parts    = postmaster
          domains        =  local_domains
          verify         = recipient


  require verify         = sender



  accept  domains        =  local_domains
          endpass
          message        = Unknown user.
          verify         = recipient


  accept  domains        =  relay_to_domains
          endpass
          message        = Unrouteable address.
          verify         = recipient


  accept  hosts          =  relay_from_hosts


accept authenticated = *



  deny    message        = Authentication required - Relay not permitted.




acl_check_data:

  deny    sender_domains = aol.com
          message        = X-Forgery: NOT AOL MAILER
          condition = ${if match {${lc:$h_X-Mailer:}} {a(?:ol|tlas)} {no}{yes}}


  accept  senders = !:
          message = A valid sender header is required!
          verify = header_sender


  deny   !condition = $header_X-WhitelistedRCPT-nohdrfromcallback:
         !verify = header_sender/callout=90s


accept

######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################


begin routers


dnslookup:
driver = dnslookup
domains = ! local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

mailman_router:
  driver = accept
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  local_part_suffix_optional
  local_part_suffix = -bounces : -bounces * : \
                 -confirm * : -join : -leave : \
                 -owner : -request : -admin
  transport = mailman_transport


mysql_sys_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup mysql {SELECT dest FROM aliases \
            WHERE email='${local_part}' AND type="system"}}


mysql_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup mysql {SELECT dest FROM aliases \
            WHERE email='${local_part}@${domain}' AND type="site"}}


mysql_user:
  driver = accept
  condition = ${if eq{} {${lookup mysql {SELECT home FROM passwd \
                WHERE id='${local_part}@${domain}'}}} {no}{yes}}
  retry_use_local_part
  transport=mysql_delivery




######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################


begin transports

remote_smtp:
driver = smtp


mysql_delivery:
  driver = appendfile
  maildir_format
  directory = \
     /var/mail/${lookup mysql{SELECT maildir \
     FROM passwd WHERE id='${local_part}@${domain}'}}
  delivery_date_add
  #envelope_to_add = true
  #return_path_add = true
  maildir_tag = ,S=$message_size
  quota = \
    "${lookup mysql{SELECT quota FROM passwd WHERE \
    user = '$local_part' AND domain = '$domain'}{${value}M}}"
  quota_is_inclusive = false
  quota_size_regex = S=(\d ):
  quota_warn_threshold = 75%
  quota_warn_message = "\
        To: $local_part@$domain\n\
          Subject: Mailbox quota warning\n\n\
          This message was automatically generated by the mail delivery software.\n\n\
          You are now using over 75% of your allocated mail storage quota.\n\n\
          If your mailbox fills completely, further incoming messages will be automatically\n\
          returned to their senders.\n\n\
          Please take note of this and remove unwanted mail from your mailbox.\n"
  user = 1100
  group = 1100
# headers_add
# message_prefix
# mode


mailman_transport:
    driver = pipe
    command = MAILMAN_WRAP \
              '${if def:local_part_suffix \
                    {${sg{$local_part_suffix}{-(\\w )(\\ .*)?}{\$1}}} \
                    {post}}' \
              $local_part
    current_directory = MAILMAN_HOME
    home_directory = MAILMAN_HOME
    user = MAILMAN_USER
    group = MAILMAN_GROUP



######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry


# Domain               Error       Retries
# ------               -----       -------


*                      quota
*                      *           F,2h,10m; G,16h,1h,1.5; F,4d,6h


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


# There are no rewriting specifications in this default configuration file.

begin rewrite



######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


# There are no authenticator specifications in this default configuration file.

begin authenticators


#fixed_plain:
#  driver = plaintext
#  public_name = PLAIN
#  server_condition = \
#    ${lookup mysql{SELECT if(count(*), "1", "0") \
#    FROM passwd WHERE id = '${quote_mysql:$2}' and \
#    clear = '${quote_mysql:$3}'}}
#  server_set_id = $2



#cram_md5:
#  driver = cram_md5
#  public_name = CRAM-MD5
#  server_secret = \
#    ${lookup mysql{SELECT clear FROM passwd \
#    WHERE id='$1'}{$value}fail}
#  server_set_id = $1


login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = \
    ${lookup mysql{SELECT if(count(*), "1", "0") \
    FROM passwd WHERE id = '${quote_mysql:$1}' and \
    clear = '${quote_mysql:$2}'}}
  server_set_id = $1




#login:
#  driver=plaintext
#  public_name = LOGIN
#  server_condition = ${if eq{$2} {${lookup mysql{SELECT clear FROM passwd \
#    WHERE id ='${local_part:$1}'}}}{1}{0}}
#  server_prompts = "Username:: : Password::"
#  server_set_id = $1



#plain:
#  driver=plaintext
#  public_name = PLAIN
#  server_condition = ${if eq{$2} {${lookup mysql{SELECT clear FROM passwd \
#    WHERE id ='${local_part:$1}'}}}{1}{0}}
#  server_prompts = "Login::"
#  server_set_id = $1


# End of Exim configuration file