>"Matt Sealey" wrote on Mon Dec 8, 2003 1:15 pm
>
>Hello all,
>
>I'm having one hell of a time getting my Exim to only accept
relays to
>non-local domains when authenticated. Basically we're talking about
>the ultimate open-relay stopper, if nobody can send unless they're
>trying to mail users on the box or they're a known entity.
>
**SNIP SNIP**
Here is what I do for what it's worth:
This is all done with LDAP lookups and virtual domains...
#The '_R' and '_S' lookups are the same, it just depends on
# what part of the smtp side we want to check,
# a 'LOCAL' sender ('_S')?? or a 'LOCAL' recipient ('_R')??
#Define the Store and Forward only domains.
domainlist forward_domains_R = \
ldapm;ldap::///ou=Forward-only-Domains,o=top?dc?one? \
(&(objectClass=*)(dc=$domain))
#Define the Local delivery domains.
domainlist local_domains_R = \
ldapm;ldap::///o=top?dc?one?(&(objectClass=*)(dc=$domain))
#Define Domains that we will rewrite for
domainlist rewrite_domains_R = \
ldapm;ldap::///ou=ReWriteDomains,ou=MailConfiguration, \
o=top?dc?one?(&(objectClass=*)(dc=$domain))
#Define the Store and Forward only domains.
domainlist forward_domains_S = \
ldapm;ldap::///ou=Forward-only-Domains,o=top?dc?one? \
(&(objectClass=*)(dc=$sender_address_domain))
#Define the Local delivery domains.
domainlist local_domains_S = \
ldapm;ldap::///o=top?dc?one?(&(objectClass=*) \
(dc=$sender_address_domain))
#Define Domains that we will rewrite for
domainlist rewrite_domains_S = \
ldapm;ldap::///ou=ReWriteDomains,ou=MailConfiguration, \
o=top?dc?one?(&(objectClass=*)(dc=$sender_address_domain))
#Define the hosts that we blindly relay for.
hostlist relay_hosts = (this data is stored in LDAP but
returned from a perl lookup that
formats the information as
needed)
#Define the hosts that we reject connections from.
hostlist connection_reject = (this data is stored in LDAP but
returned from a perl lookup that
formats the information as
needed)
acl_mail_command:
#DENY any mail command given before a Helo command
# This will force the helo like we want :)
deny message = \
HELO/ELHO command must be given
condition = ${if def:sender_helo_name{no}yes}}
#ACCEPT mail from any host that we blindly relay for as
# defined in LDAP
accept hosts = +relay_hosts
#ACCEPT mail from Domains that are local only if the connection
# is authenticated. Relay hosts are not subject to this
# check as they have already been accepted.
accept sender_domains = \
+local_domains_S : +forward_domains_S : +rewrite_domains_S
endpass
message = \
Authentication Required: \n\
The connection must be authenticated to send from \
this address.
authenticated = *
#ACCEPT all other connections here unless we do not want
# any mail at all :)
accept
acl_rcpt_command:
#REQUIRE that all senders are verified. If there is a
# timeout or other 'error' then we pass this test anyway.
# We skip this check if a user is ??LOCAL?? to us.
# We can also skip this check for any 'user@', '@domain',
# or 'user@domain' as defined in the ou=SenderVerify.
deny !senders = \
ldapm;ldap::///ou=MailSenderVerify,ou=MailConfiguration, \
o=top?RHost?one?(&(objectClass=HostList)(RHost=accept) \
(|(mailRHost=$sender_address_local_part@$sender_address_domain)\
(mailRHost=@$sender_address_domain) \
(mailRHost=$sender_address_local_part@))) : \
ldapm;ldap::///dc=$sender_address_domain,ou=Forward-only-Domains,\
o=top?mailLocalAddress?sub? \
(&(objectClass=inetLocalMailRecipient) \
(mailLocalAddress=@$sender_address_domain)) : \
ldapm;ldap::///dc=$sender_address_domain,ou=ReWriteDomains, \
ou=MailConfiguration,o=top?mailLocalAddress?sub? \
(&(objectClass=inetLocalMailRecipient) \
(mailLocalAddress=@$sender_address_domain)) : \
ldapm;ldap::///dc=$sender_address_domain, \
o=top?mailLocalAddress?sub? \
(&(objectClass=inetLocalMailRecipient) \
(uid=$sender_address_local_part) \
(mailLocalAddress=$sender_address_local_part@$sender_address_domain)\
(!(mailUserInactive=yes)))
!verify = sender/callout=10s,defer_ok,random
#ACCEPT if the SMTP connection is from Local Host not TCP/IP
accept hosts = :
#ACCEPT mail for any any user as defined in LDAP
# Stop the acl with ACCEPT if the $domain of the message
# is for one of our domains and the reciepient can be verified
# If the reciepient verification fails Stop the acl with DENY
# and send error text of '$message'
accept domains = +local_domains_R :
+forward_domains_R : \
+rewrite_domains_R
endpass
message = \
Invalid Address: \n\
Confirmation of the recipient address failed, \n\
> or the user account is currently inactive.
#The condition checks to see if the rcpt is a valid user
condition = \
${if or{ \
{eqi {@$domain}{${lookup ldap \
{ldap:///dc=$domain,ou=Forward-only-Domains, \
o=top?mailLocalAddress?sub? \
(&(objectClass=inetLocalMailRecipient)\
(mailLocalAddress=@$domain))}}} \
}{eqi {$local_part@$domain}{${lookup ldap \
{ldap:///dc=$domain,o=top?mailLocalAddress?sub? \
(&(objectClass=inetLocalMailRecipient)(uid=$local_part) \
(mailLocalAddress=$local_part@$domain)\
(!(mailUserInactive=yes)))}}}}}{true}fail}
endpass
message = \
#The relay_hosts and authenticated hosts can send to
# ANY rcpt address
#ACCEPT mail from any host that we blindly relay for as
# defined in LDAP
accept hosts = +relay_hosts
#ACCEPT mail from any host that makes a successfull SMTP Auth
accept authenticated = *
#DENY with error text of '$message' because all other
# checks have failed so we do not want to relay for
# people not sending to us or because they are unknown to us.
deny message = \
Undeliverable Message: \n\
SMTP relaying is not permitted without proper
authentication. \n\
> Further abuse may result in any or all of the following:\n\
>\tDenying future connections. \n\
>\tNotifying the proper authorities. \n\
>\tNotifying your internet provider.
begin authenticators
SMTP_AUTH_PLAIN:
#PLAINTEXT just defines what authentication method should be used
# others could include MD5/SHA etc.
driver = plaintext
#PLAIN is what is advertised, again the RFC Standard for basic
# authentication and the standard 'prompt' that goes with it
public_name = PLAIN
server_prompts = :
#This is a pass/fail (yes/no) test. We take the
# information given to use by the user and then attempt
# to bind to the LDAP server as that user.
server_condition = ${if ldapauth \
{user="uid=${extract{1}{@|%}{$2}},dc=${extract{2}{@|%}{$2}},\
o=top" pass="$3" ldap:///}{yes}{no}}
server_set_id = \
"uid=${extract{1}{@|%}{$2}},dc=${extract{2}{@|%}{$2}},\o=top"
SMTP_AUTH_LOGIN:
#PLAINTEXT just defines what authentication method should be used
# others could include MD5/SHA etc.
driver = plaintext
#LOGIN is what is advertised, just another plaintext
authenticator
# that is used and supported by many clients including Outlook,
# Outlook Express, and Netscape, we pass the standard 'prompt'
# that goes with it.
public_name = LOGIN
server_prompts = Username:: : Password::
#This is a pass/fail (yes/no) test. We take the
# information given to use by the user and then attempt
# to bind to the LDAP server as that user.
server_condition = ${if ldapauth \
{user="uid=${extract{1}{@|%}{$1}},dc=${extract{2}{@|%}{$1}},\
o=top" pass="$2" ldap:///}{yes}{no}}
server_set_id = \
"uid=${extract{1}{@|%}{$1}},dc=${extract{2}{@|%}{$1}},o=top"
--EAL--
_________________________________________________________________
Dont worry if your Inbox will max out while you are enjoying the holidays.
Get MSN Extra Storage!
http://join.msn.com/?PAGE=features/es