RE: [Exim] Problem with relaying

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Tom Rowden
Date:  
À: 'Nico Erfurth', Exim Users
Sujet: RE: [Exim] Problem with relaying
No, I don't want to relay by domain, that's the point.. I don't know how I
am in the first place!

I have some CDPD cards in some laptops that I allow relaying from but those
are in a very well defined list!

Here's my ACL section:


begin acl

check_rcpt:

  accept  hosts = :
  accept  hosts         = 127.0.0.1/8


  deny    local_parts   = ^.*[@%!/|]


  warn     message       = X-WhitelistedRCPT-nohdrsyncheck: Yes
           local_parts   = +nohdrsyncheck:postmaster:abuse


  warn     message       = X-WhitelistedRCPT-nohdrfromcallback: Yes
           local_parts   = +nohdrfromcallback:postmaster:abuse


  warn     message       = X-SA-Do-Not-Rej: Yes
           local_parts   = +nosarej:postmaster:abuse


  warn     message       = X-SA-Do-Not-Run: Yes
           hosts         = +relay_from_hosts


  warn     message       = X-SA-Do-Not-Run: Yes
           authenticated = *


  accept  domains       = +local_domains
          local_parts   = postmaster


#######################################################################
# Ok, now that we have all the overrides, we can start the deny rules #
#######################################################################

  deny  message   = "HELO/EHLO required by SMTP RFC"
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}


  deny  message   = Only one receipient accepted for NULL sender
        senders   = :
        condition     = ${if >{$rcpt_count}{1} {1}}


# Explicit blacklists go before our whitelists, people ended up there for
# a reason

  # Blacklist of hosts
  deny    hosts         = +host_reject_rcpt
          message       = Host $sender_host_address is blocked:
${lookup{$sender_host_address}lsearch{HOSTREJECTRCPT1}{$value}{"unspecified
reason"}}


  # Blacklist of envelope senders
  deny    senders       = +denyenvsenders
          message       = Sender $sender_address is blocked:
${lookup{$sender_address}lsearch{BLOCKENVSEND1}{$value}{"unspecified
reason"}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = ${if and {{match{$local_part}{.*-bounces\+.*}}
{exists
{MAILMAN_HOME/lists/${sg{$local_part}{(.*)-bounces\+.*}{\$1}}}}}{yes}{no}}


  accept  condition     = ${if and {{match{$local_part}{.*-bounces\+.*}}
{exists
{MAILMAN_HOME/lists/${sg{$local_part}{(.*)-bounces\+.*}{\$1}}}}}{yes}{no}}



  # Deny unless the sender address can be verified.
  accept    local_parts = !+noenvfromcheck
         !verify = sender


  # Now, do basic address checking, that we forgo if the receipient is in a
  # whilelist
  deny    hosts = !+localadds:!+host_disable_callback:*
          sender_domains = !+envdomain_disable_callback:*
          local_parts   = !+noenvfromcallback
#        !verify = sender/callout=90s/check_postmaster
          !verify = recipient


  deny    hosts = !+localadds
          sender_domains = nomos.com


  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient


  # Accept if the address is in a domain for which we are relaying, but
again,
  # only if the recipient can be verified.
  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient/callout=30s/callout_defer_ok


# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. Recipient verification is omitted here, because in many
  # cases the clients are dumb MUAs that don't cope well with SMTP error
  # responses. If you are actually relaying out from MTAs, you should
probably
  # add recipient verification here.
  accept  hosts         = +localadds:+relay_from_hosts
          verify        = recipient



#  accept  hosts = +auth_relay_hosts
#          endpass
#          message = authentication required
#          authenticated = *


  # Reaching the end of the ACL causes a "deny", but we might as well give
  # an explicit message.
  deny    message = relay not permitted




# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.


check_data:

  deny    !verify = header_syntax
         !condition = $header_X-WhitelistedRCPT-nohdrsyncheck:
          # Thanks to the exim4.gooderror.diff patch, exim will return
          # informative error messages. You can override that with a generic
          # message though
          #message = Syntax error in the headers of your message. Failed to
parse


  deny    hosts = !+localadds:!+host_disable_callback:*
          #sender_domains = !+envdomain_disable_callback:*
         !condition = $header_X-WhitelistedRCPT-nohdrfromcallback:
         !condition =
${lookup{${domain:$header_from:}}lsearch{HDR_DOMAIN_DISABLE_CALLBACK}
{yes}{no}}
         !verify = header_sender/callout=90s/check_postmaster
          # Thanks to the exim4.gooderror.diff patch, exim will return
          # informative error messages. You can override that with a generic
          # message though
          #message = Header sender couldn't be verified


accept


check_auth:
  accept  hosts = +auth_over_tls_hosts
          endpass
          message = STARTTLS required before AUTH
          encrypted = *
  accept



check_expn:
accept hosts = +expn_hosts
deny message = expn not allowed from this host, sorry


check_vrfy:
accept hosts = +vrfy_hosts
deny message = vrfy not allowed from this host, sorry


-----Original Message-----
From: Nico Erfurth [mailto:masta@perlgolf.de]
Sent: Tuesday, April 08, 2003 7:55 AM
To: Tom Rowden
Cc: Exim Users
Subject: Re: [Exim] Problem with relaying


Tom Rowden wrote:

> It seems I need a new rule in my exim4.conf file to prevent something
> from happening...
>
> I am using exim 4.12 with sa-exim 2.2 on a Linux 8.0 machine....
>
> The situation is this:
>
> A machine from the internet is able to connect to my mailserver, give
> a from address that appears to be from my local domain and can send to
> anywhere else on the internet, thus making me an open relay of sorts.


So, you're one of these guys who allows relaying by domain?

> It gives the correct message when they give a non-local address for
> the from address and a non local address of "relaying not permitted"
> however, so I know something of some sort is working.
>
> How do I enter a rule in my conf file to fix the above listed problem?


Show your current ACL.
Provide logentries.
Hmmm, any maybe also show your authenticator, if you use authentication.

Nico