Re: [Exim] Using ACL to block spaam... possible?

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
CC: Lukas
Subject: Re: [Exim] Using ACL to block spaam... possible?
Hi Lukas, on Sun, 23 Mar 2003 14:34:18 CET you wrote:

> > > hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8
> > This rings alarm bells to me.
> You are right... it was a mistake... I realized it the moment I pasted
> the config file to my previous message. I corrected it to
> 192.168.1.0/24. However I checked my logs and spam attempts came from
> 211.xxxxxx and 218.xxxxxx.


Were they actually *succesful* attempts though, or did they get rejected?
It's a fact of life that you will get relay attempts every day (mostly an
odd address, sometimes an annoying persistent dictionary attack, often
switching between different remote hosts). But as long as your ACLs and so
on are configured correctly, this is nothing to worry about.

What would be interesting to look at is where the *succesful* attempts
(that is, where messages ended up on your outgoing queue) came from.

> But the problem is that I need to change it to       hostlist
> relay_from_host = *


No, you don't, well, not without changing the meaning of relay_to_hosts in
your RCPT ACL. What you need to remember is that relay_from_hosts is just
a name, which is used by the default ACL (and yours) to say "allow
relaying from these (trusted) hosts *without authentication*".

What this means is that you *don't* need to set relay_from_hosts to * to
allow relaying from remote hosts, if you're using SMTP AUTH. Having it set
as it currently is (with corrected netmask for 192.x) will work just fine.

> I cannot do it at the moment without becoming an open relay.


Yes, as above: relay_from_hosts, per default, sets who can relay *without
authentication*, so setting it to anything other than a trusted host will
make you an open relay.

> I checked but it doesn't seem to be my problem. For what I can see,
> Authentication works well. But it is always a second chance. Before
> sending mail with autentication I always can send mail without the need
> of authenticate myself.


Are you sure that when you're testing it, you're not testing from a host
that is in relay_from_hosts? If you are, then that will be why. Try
setting relay_from_hosts to just 127.0.0.1, and then try relaying from
your home DSL line or similar. You should then be forced to authenticate,
and be denied relaying if you don't.

If you're still in doubt, try exim -d -bh x.y.z.a and send a test message.
(where x.y.z.a is some remote IP, not shown in relay_from_hosts)

> In such a way, having SMTP Auth, is quite useless, I think.


Indeed. However, I strongly suspect that in your tests you are sending
mail from a host in relay_from_hosts.

> Probably is really something wrong in the order of ACL statement but I
> can't understand where...


I've just had another look to check, and the order of your RCPT ACL still
looks OK to me. The only circumstances in which you're accepting mail, in
order, are:

anything@anywhere, host = :
postmaster@???
[verify sender]
anything@???
anything@???
anything@anywhere, from a trusted host in relay_from_hosts
anything@anywhere, from an authenticated user


That's quite a normal, and sensible, configuration.


Tim