Re: [Exim] Using ACL to block spaam... possible?

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
CC: Lukas
Subject: Re: [Exim] Using ACL to block spaam... possible?
On Sun, 23 Mar 2003 01:06:19 CET you wrote:

> I'd like to have my server accept only authenticated connections.


*Only*? So it is not an MX server for any domain? Or do you mean that you
only want to *relay* for authenticated connections? (I think you probably
mean the second one)

> they can relay without or with
> authentication... nothing on the server compells client to authenticate.


In that case, it would seem that you have a problem with your RCPT ACL,
not SMTP AUTH (although if they could authenticate via SMTP AUTH with an
empty username and/or password, that would be a different issue, and
another one that crops up quite often).

There must be something in your ACL which is allowing them to send mail.
Let's have a look: (I'm putting the SMTP AUTH to one side for now, let's
solve the first problem)

> hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8 :
> 151.38.133.230


This rings alarm bells to me. 192.168.1.0/8 means that any host with an IP
address beginning with 192 can relay. I am guessing this is intended to be
your internal network, but the problem is that only 192.168.0.0/16 is
reserved for internal IPs in RFC1918. There are lots of IPs beginning
with 192 that are assigned, in use and globally routeable. (i.e. you can't
use them for your internal network).

So, the first thing would be to change that part of your hostlist to
192.168.1.0/16, or even 192.168.1.0/24 if you only have internal IPs
starting with 192.168.1 .

I can't immediately see any obvious problems with the rest of your RCPT
ACL, so it may be as simple as that. I would guess (check your Exim
mainlog to see for certain) that you've had someone within a 192.x.x.x
address space somewhere that has been using your machine as a relay.

To be fair, that's a fairly subtle mistake of the kind that any of us
could probably make on a bad day, so I apologise for being slightly abrupt
yesterday. Assuming however that the small change above gets the
unrestricted relaying sorted, let us know if you have any further problems
with getting SMTP AUTH working. Take care to make sure that you can't
authenticate by using an empty username or password, as that seems to be
something that happens quite often, and there additionally seems to be
some evidence that spammers are starting to exploit it.


Tim