No, I don't want to relay by domain, that's the point.. I don't know how I
am in the first place!
I have some CDPD cards in some laptops that I allow relaying from but those
are in a very well defined list!
Here's my ACL section:
begin acl
check_rcpt:
accept hosts = :
accept hosts = 127.0.0.1/8
deny local_parts = ^.*[@%!/|]
warn message = X-WhitelistedRCPT-nohdrsyncheck: Yes
local_parts = +nohdrsyncheck:postmaster:abuse
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
local_parts = +nohdrfromcallback:postmaster:abuse
warn message = X-SA-Do-Not-Rej: Yes
local_parts = +nosarej:postmaster:abuse
warn message = X-SA-Do-Not-Run: Yes
hosts = +relay_from_hosts
warn message = X-SA-Do-Not-Run: Yes
authenticated = *
accept domains = +local_domains
local_parts = postmaster
#######################################################################
# Ok, now that we have all the overrides, we can start the deny rules #
#######################################################################
deny message = "HELO/EHLO required by SMTP RFC"
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
deny message = Only one receipient accepted for NULL sender
senders = :
condition = ${if >{$rcpt_count}{1} {1}}
# Explicit blacklists go before our whitelists, people ended up there for
# a reason
# Blacklist of hosts
deny hosts = +host_reject_rcpt
message = Host $sender_host_address is blocked:
${lookup{$sender_host_address}lsearch{HOSTREJECTRCPT1}{$value}{"unspecified
reason"}}
# Blacklist of envelope senders
deny senders = +denyenvsenders
message = Sender $sender_address is blocked:
${lookup{$sender_address}lsearch{BLOCKENVSEND1}{$value}{"unspecified
reason"}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = ${if and {{match{$local_part}{.*-bounces\+.*}}
{exists
{MAILMAN_HOME/lists/${sg{$local_part}{(.*)-bounces\+.*}{\$1}}}}}{yes}{no}}
accept condition = ${if and {{match{$local_part}{.*-bounces\+.*}}
{exists
{MAILMAN_HOME/lists/${sg{$local_part}{(.*)-bounces\+.*}{\$1}}}}}{yes}{no}}
# Deny unless the sender address can be verified.
accept local_parts = !+noenvfromcheck
!verify = sender
# Now, do basic address checking, that we forgo if the receipient is in a
# whilelist
deny hosts = !+localadds:!+host_disable_callback:*
sender_domains = !+envdomain_disable_callback:*
local_parts = !+noenvfromcallback
# !verify = sender/callout=90s/check_postmaster
!verify = recipient
deny hosts = !+localadds
sender_domains = nomos.com
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
# Accept if the address is in a domain for which we are relaying, but
again,
# only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient/callout=30s/callout_defer_ok
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.
accept hosts = +localadds:+relay_from_hosts
verify = recipient
# accept hosts = +auth_relay_hosts
# endpass
# message = authentication required
# authenticated = *
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
deny message = relay not permitted
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
check_data:
deny !verify = header_syntax
!condition = $header_X-WhitelistedRCPT-nohdrsyncheck:
# Thanks to the exim4.gooderror.diff patch, exim will return
# informative error messages. You can override that with a generic
# message though
#message = Syntax error in the headers of your message. Failed to
parse
deny hosts = !+localadds:!+host_disable_callback:*
#sender_domains = !+envdomain_disable_callback:*
!condition = $header_X-WhitelistedRCPT-nohdrfromcallback:
!condition =
${lookup{${domain:$header_from:}}lsearch{HDR_DOMAIN_DISABLE_CALLBACK}
{yes}{no}}
!verify = header_sender/callout=90s/check_postmaster
# Thanks to the exim4.gooderror.diff patch, exim will return
# informative error messages. You can override that with a generic
# message though
#message = Header sender couldn't be verified
accept
check_auth:
accept hosts = +auth_over_tls_hosts
endpass
message = STARTTLS required before AUTH
encrypted = *
accept
check_expn:
accept hosts = +expn_hosts
deny message = expn not allowed from this host, sorry
check_vrfy:
accept hosts = +vrfy_hosts
deny message = vrfy not allowed from this host, sorry
-----Original Message-----
From: Nico Erfurth [
mailto:masta@perlgolf.de]
Sent: Tuesday, April 08, 2003 7:55 AM
To: Tom Rowden
Cc: Exim Users
Subject: Re: [Exim] Problem with relaying
Tom Rowden wrote:
> It seems I need a new rule in my exim4.conf file to prevent something
> from happening...
>
> I am using exim 4.12 with sa-exim 2.2 on a Linux 8.0 machine....
>
> The situation is this:
>
> A machine from the internet is able to connect to my mailserver, give
> a from address that appears to be from my local domain and can send to
> anywhere else on the internet, thus making me an open relay of sorts.
So, you're one of these guys who allows relaying by domain?
> It gives the correct message when they give a non-local address for
> the from address and a non local address of "relaying not permitted"
> however, so I know something of some sort is working.
>
> How do I enter a rule in my conf file to fix the above listed problem?
Show your current ACL.
Provide logentries.
Hmmm, any maybe also show your authenticator, if you use authentication.
Nico
