Re: [Exim] Outgoing relaying

Top Page
Delete this message
Reply to this message
Author: Willie Viljoen
Date:  
To: Liezel Welman, exim-users
Subject: Re: [Exim] Outgoing relaying
(Reply as part of message)
----- Original Message -----
From: "Liezel Welman" <liezel.welman@???>
To: <exim-users@???>
Sent: Wednesday, January 07, 2004 3:33 PM
Subject: [Exim] Outgoing relaying


> What I want to do is to have people with a from address of @oursite.com
> be able to send email to any other domain. We can't do SMTP auth just
> yet, although that is the plan in a month or so. From the exim book, I
> know
> that: "You should never use a test on a sender address as the only
> condition
> for accepting a message, because envelope sender addresses can be
> trivially forged". But I'm willing to accept it as a temporary risk.
>


This is quite a big risk. The problem here is that many mail services used
to allow this, and most spammers and their spamware know this. As soon as an
address in one of your domains is harvested from a forum/mailing list/web
page, the spamware will no doubt check your server for this vulnerability.
Spammers also seem to like passing data to each other these days, so once
one finds you, a whole lot of them have found you. I'd try to avoid that,
because spammers' software isn't generally designed to check if they have
been cut off, once they think you are an open relay, they keep bombarding
you with traffic, sometimes for months after they have been shut out.

At two small ISPs I do sysadmin work for, we have had similar problems where
mail is hosted for clients who do not use us as their primary ISP. The best
solution I have found is to have these clients use the third pary ISP's mail
servers for outgoing mail. They need not send mail through your server to be
able to receive incoming mail through it, also, SMTP servers at ISPs don't
check the sender address, they are only concerned about the sender IP
address, thus sending from myuser@??? via a dial-up ISP's mail
server will work fine, without any side effects.

This is annoying to get configured in the short term, as all clients will
have to update their configurations, but it is a great deal safer. The other
option is too risky to be worth the while, if spammers start using your
server, you will no doubt soon find yourself on one of the more strict black
lists, in which case they won't be able to send mail through your server
anyway :)

If you have to take the risk, the configuration you are using seems to be
fine, although I would change this:

> accept domains        = !+rbl_domains

deny domains = +rbl_domains

With the first option, there is a loop hole by which spam can easily pass to
your users or through your server. Because the next line explicitly accepts
any mail from a local domain, an e-mail sent from someuser@??? to
any address will pass through your server, even if it is from an RBL listed
host. It is a common practice for spammers to attempt evading detection by
sending the message from the user's own address. By explicitly denying mail
from the RBL listed hosts, you cut them off there and then, the security
hole is closed, and your system does not waste any further resources on
checking the mail.

Will