Re: [Exim] Relay

Top Page
Delete this message
Reply to this message
Author: Tor Slettnes
Date:  
To: Rahul
CC: exim-users
Subject: Re: [Exim] Relay
On Apr 8, 2004, at 06:40, Rahul wrote:

> Basically I wanted to use one server as pop/smtp and i tried many
> options
> but i was unable to send(outgoing) mail through that server.


This is a 'standard' configuration issue, and it has a set of
'standard' solutions:

  - Allow relaying from certain hosts, e.g.:
      hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/24


  - Allow authentication, and relaying for authenticated clients.
    The Exim distribution comes with some examples on how to do this.
    (For PLAIN and LOGIN type authentication, which you must use if you
    want to do authentication against a UNIX password database, you must
    also enable encryption/TLS -- see corresponding docs).


  - If you cannot do SMTP AUTH for some reason, the fallback for "remote"
    clients would be to use a POP-before-SMTP-type authentication.
    Basically, once a user checks their mail via POP3 or IMAP, you would
    allow relaying from the same IP address for a limited time
    (e.g. 30 minutes).  POP3/IMAP clients (such as MS Lookout) typically
    check for new messages every 2-15 minutes, while running.


    Unfortunately, there is no "standard" mechanism for pop-before-smtp
    authentication.  Exim natively supports the "whoson" protocol
    (http://whoson.sourceforge.net/); the Cyrus POP3/IMAP suite supports
    notifications via DRAC (http://mail.cc.umanitoba.ca/drac/).  There
    is a standalone daemon named "pop-before-smtp" which monitors logins
    to a number of different POP3/IMAP servers by parsing their log
files,
    but unfortunately this one is written specifically for the Postfix
MTA.
    Thus, if you decide to go this route, you'll have to do a little bit
    of customization/development on your own.


> Again my question is that i want only those domains to send mail
> through
> mx.rahul.com who have the MX records as mx.rahul.com no one else..



Did you read my last message? It is not very clear what you want to do
here.

Mail does not originate from a domain. Mail originates from a client
(a MUA or MTA on a particular host). So the question is, which domain
do you want to use as the key for authentication purposes/MX lookups?

   - The domain after the @ sign in the sender (envelope from) address?
   - The host name presented by the client in the HELO/EHLO greeting?
   - The host name that results from performing a rDNS lookup of the
     client's IP address?


The first two can trivially be spoofed by any sender, anywhere --
essentially making you an open relay. In fact, if you "telnet
relay-test.mail-abuse.org", this is one of the tests that will be
performed on your machine.

The last one (using the name that results from a rDNS lookup) can also
be forged:
- when spammer controls the rDNS (in-addr.arpa) zone for the IP
address from which he is sending you the mail. He will simply create a
rDNS entry from his IP address to 'pop.rahul.com', for instance. When
you perform a MX lookup of this name, you'll get your own MX.
- when a lookup of the remote IP address (correctly) yields
"spammer.biz", but the owner of "spammer.biz" adds an MX record to his
own domain pointing to "mx.rahul.com".

Do keep in mind that spammers nowadays tend to use very highly
specialized software, such as ad-hoc DNS servers that provide
_extremely_ short-lived DNS records.

That said, it is trivial to configure Exim for such stupidity:

In the 'main' section:
    helo_try_verify_hosts = *


In the RCPT ACL:
    accept verify    = helo
           condition = ${if eq {${lookup
dnsdb{mx=$sender_host_name}{$value}}} \
                               {mx.rahul.com} \
                               {true}{false}}


Be sure to at least add MX records for every host from which you wish
to allow relaying, pointing to "mx.rahul.com".


Another (perhaps simpler) way would be (in the 'main' section):

    hostlist relay_from_hosts = 127.0.0.1 : *.rahul.com


This does not depend on MX records -- it simply says that any hosts
that resolve to <anything>.rahul.com are allowed to relay. Again, be
careful to verify the validity of the rDNS entry via a forward lookup:

     deny message  = You are not allowed to relay if I cannot verify
your name via DNS.
          !verify  = helo


-tor