[Exim] How do you filter email that says it's from your doma…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: John Stegenga
Data:  
Para: exim-users
Assunto: [Exim] How do you filter email that says it's from your domain but it is not?
My Spam Assassin white list has my own domain in it... I suppose that it is
not really necessary, but if I'm messing around with html formatting of an
email message and want to see how it looks at a test account also on my
domain, it's easier because SA will not mark it up, etc, if I did something
'wrong'.

However, spammers are using software that puts your own email name into the
'from'. And because of this Spam Assassin is giving it the -99 point
whitelist score...

Is there a way in exim to catch these messages that say their from 'me' but
are not (the helo is forged, etc...)?

Please help.

John


-----Original Message-----
From: exim-users-request@??? [mailto:exim-users-request@exim.org]
Sent: Sunday, May 23, 2004 7:00 AM
To: exim-users@???
Subject: Exim-users digest, Vol 2 #2142 - 16 msgs


Send Exim-users mailing list submissions to
    exim-users@???


To subscribe or unsubscribe via the World Wide Web, visit
    http://www.exim.org/mailman/listinfo/exim-users
or, via email, send a message with subject or body 'help' to
    exim-users-request@???


You can reach the person managing the list at
    exim-users-admin@???


When replying, please edit your Subject line so it is more specific
than "Re: Contents of Exim-users digest..."


Today's Topics:

1. deny domains how? (Andy Firman)
2. pop/imap (Frederic SOSSON)
3. Re: deny domains how? (Adam D. Barratt)
4. Re: pop/imap (Anand Buddhdev)
5. Re: Yahoo DomainKeys... (Claus Assmann)
6. Re: Running programs from ACLs (Florian Weimer)
7. Re: Yahoo DomainKeys... (Nico Erfurth)
8. Re: Running programs from ACLs (Nico Erfurth)
9. Re: Yahoo DomainKeys... (Claus Assmann)
10. Re: Yahoo DomainKeys... (Nico Erfurth)
11. Re: Yahoo DomainKeys... (James P Roberts)
12. Re: Exim 4.32 + TLS from foreign host (Toffe)
13. Re: Yahoo DomainKeys... (Andre Grueneberg)
14. Re: Startup (hunte@???)
15. Re: Startup (hunte@???)
16. Re: deny domains how? (Rossz Vamos-Wentworth)

--__--__--

Message: 1
Date: Sat, 22 May 2004 10:19:53 -0400
To: exim-users@???
From: Andy Firman <andy@???>
Subject: [Exim] deny domains how?


I am trying to figure out how to deny any email from
the whole SBC network as that company is out of control
with spam and I am tired of adding all of the SBC
IP blocks to my local_host_blacklist file.

This is in my 30_exim4-config_check_rcpt file:

deny domains = *.ameritech.net
deny domains = *.swbell.net
deny domains = *.pacbell.net
deny domains = *.sbcglobal.net

But it does not work. How do you make Exim deny based
upon a reverse DNS lookup?

I want to reject anything that looks like this:

Received: from adsl-69-208-77-71.dsl.klmzmi.ameritech.net
or
Received: from adsl-66-141-144-84.dsl.hstntx.swbell.net
or
Received: from adsl-68-126-249-36.dsl.irvnca.pacbell.net
etc...


Thanks,
Andy




--__--__--

Message: 2
Date: Sat, 22 May 2004 16:29:50 +0200
From: Frederic SOSSON <fred_sos@???>
Reply-To: Frederic SOSSON <fred_sos@???>
To: exim-users <exim-users@???>
Subject: [Exim] pop/imap

Hello exim-users,

I know it is a good thing to use Exim at MTA side, but what is the best
pop/imap
server at the other side?

--
Best regards,
 Frederic                          mailto:fred_sos@swing.be




--__--__--

Message: 3
Subject: Re: [Exim] deny domains how?
From: "Adam D. Barratt" <exim-users@???>
To: exim-users@???
Date: Sat, 22 May 2004 15:41:25 +0100

On Sat, 2004-05-22 at 15:19, Andy Firman wrote:
> I am trying to figure out how to deny any email from
> the whole SBC network as that company is out of control
> with spam and I am tired of adding all of the SBC
> IP blocks to my local_host_blacklist file.
>
> This is in my 30_exim4-config_check_rcpt file:
>
> deny domains = *.ameritech.net

[...]
> But it does not work. How do you make Exim deny based
> upon a reverse DNS lookup?


You're trying to reject the wrong thing. As per the Fine Manual:

<quote>
domains = <domain list>

This condition is relevant only after a RCPT command. It checks that the
domain of the recipient address is in the domain list.
</quote>

You want to block *hosts*, therefore you need:

<quote>
hosts = < host list>

This condition tests that the calling host matches the host list
</quote>

I'd strongly suggest using a host list instead of repeated hosts
stanzas. If there's more than a handful, moving the list into a lookup
file or database would also be worthwhile.

Adam



--__--__--

Message: 4
Date: Sat, 22 May 2004 16:48:04 +0200
From: Anand Buddhdev <anand@???>
To: Frederic SOSSON <fred_sos@???>
Cc: exim-users <exim-users@???>
Subject: Re: [Exim] pop/imap

On Sat, May 22, 2004 at 04:29:50PM +0200, Frederic SOSSON wrote:

> Hello exim-users,
>
> I know it is a good thing to use Exim at MTA side, but what is the
> best pop/imap server at the other side?


I personally use courier-imap (which provides both a POP3 and IMAP4
daemon). It's fast (compared to UW IMAP), flexible (authenticates out
of /etc/passwd, /etc/shadow, PAM, mysql, postgresql and ldap) and most
importantly, was designed to work with Maildirs.

--
Anand Buddhdev
Celtel International


--__--__--

Message: 5
Date: Sat, 22 May 2004 09:59:05 -0700
From: Claus Assmann <exim@???>
To: exim-users@???
Subject: Re: [Exim] Yahoo DomainKeys...

On Fri, May 21, 2004, Nico Erfurth wrote:
> Tony Finch wrote:


> >You seem to have missed the fact that SPF breaks existing working
> >legitimate setups.


> DomainKeys also does. If I read the proposal right, a server isn't
> allowed to add any header after the DomainKeys-Signature: header.


Read the draft again :-)

There's some ordering in the headers, so if your MTA adds the new
stuff before the signature, you're ok. If DK would break forwarding
it would be useless.


--__--__--

Message: 6
To: Nico Erfurth <masta@???>
Cc: exim-users@???
Subject: Re: [Exim] Running programs from ACLs
From: Florian Weimer <fw@???>
Date: Sat, 22 May 2004 19:27:46 +0200

* Nico Erfurth:

> On Thu, 20 May 2004, Florian Weimer wrote:
>
>> Is there a non-hackish solution for running programs if ACL checks
>> fail or succeed?
>>
>> For example, I might want to disable an account if some SMTP AUTH
>> users user uses a spoofed source address or sends some funky
>> attachment.
>
> Depends on what is "non-hackish" for you. You could use the ${run
> expansion in a condition.


And exploit Exim's sort-circuited evaluation of ACL conditions? Yes,
this probably isn't too bad.

--
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: bigpond.com, di-ve.com, hotmail.com, jumpy.it,
libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com,
tatanova.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.


--__--__--

Message: 7
Date: Sat, 22 May 2004 19:29:52 +0200
From: Nico Erfurth <masta@???>
To: exim-users@???
Subject: Re: [Exim] Yahoo DomainKeys...

Claus Assmann wrote:

>>>You seem to have missed the fact that SPF breaks existing working
>>>legitimate setups.
>
>>DomainKeys also does. If I read the proposal right, a server isn't
>>allowed to add any header after the DomainKeys-Signature: header.
>
>
> Read the draft again :-)
>
> There's some ordering in the headers, so if your MTA adds the new
> stuff before the signature, you're ok. If DK would break forwarding
> it would be useless.


Read the next paragraph of my mail.

<quote>
Well, exim does. Imagine a forwarding service, with spam-scanning, which
adds headers. Boom, DomainKeys will fail to verify the mail.
</quote>

Exim DOES add extra headers (not Received: and some others) on the end
of previous headers. So all exim-forwarders will currently break the
signature, when they add headers.

IMHO the signature should only be added to some headers, things that are
of interest for an enduser. At least X-* should be ignored. I know, the
draft already talks about this, so maybe they'll fix it.

Nico



--__--__--

Message: 8
Date: Sat, 22 May 2004 19:32:10 +0200
From: Nico Erfurth <masta@???>
To: Florian Weimer <fw@???>
CC: exim-users@???
Subject: Re: [Exim] Running programs from ACLs

Florian Weimer wrote:

> And exploit Exim's sort-circuited evaluation of ACL conditions? Yes,
> this probably isn't too bad.


"exploit" is such a bad word. ;)
(Ab)use it as it's meant to be (ab)used. :)

Nico



--__--__--

Message: 9
Date: Sat, 22 May 2004 10:52:16 -0700
From: Claus Assmann <exim@???>
To: exim-users@???
Subject: Re: [Exim] Yahoo DomainKeys...

On Sat, May 22, 2004, Nico Erfurth wrote:

> Exim DOES add extra headers (not Received: and some others) on the end
> of previous headers. So all exim-forwarders will currently break the
> signature, when they add headers.


Is that configurable? We changed a certain MTA to be able to add
headers before others to accommodate DK.

> IMHO the signature should only be added to some headers, things that are
> of interest for an enduser. At least X-* should be ignored. I know, the
> draft already talks about this, so maybe they'll fix it.


Someone has to contact the author and tell him about the problem.

Disclaimer: I am on an "invitation only" DK mailing list where
this topic has been discussed.


--__--__--

Message: 10
Date: Sat, 22 May 2004 20:18:30 +0200
From: Nico Erfurth <masta@???>
To: Claus Assmann <exim@???>
CC: exim-users@???
Subject: Re: [Exim] Yahoo DomainKeys...

Claus Assmann wrote:

> Is that configurable? We changed a certain MTA to be able to add


AFAIK not. Surely exim could be changed to support it, but we all know
how long it takes, until new versions propagate through the net.

> headers before others to accommodate DK.


Ok, so that "certain MTA" [;)] would also brake DK in older versions ...
see above.

>>IMHO the signature should only be added to some headers, things that are
>>of interest for an enduser. At least X-* should be ignored. I know, the
>>draft already talks about this, so maybe they'll fix it.
>
> Someone has to contact the author and tell him about the problem.


Well, IMHO this is something that they should have checked before.

> Disclaimer: I am on an "invitation only" DK mailing list where
> this topic has been discussed.


Well, so you're perfect to tell it the author. :)

Nico



--__--__--

Message: 11
From: "James P Roberts" <punster@???>
To: "Andre Grueneberg" <andre@???>
Cc: "David Woodhouse" <dwmw2@???>,
    "Matthew Byng-Maddick" <exim@???>,
    <exim-users@???>
Subject: Re: [Exim] Yahoo DomainKeys...
Date: Sat, 22 May 2004 15:29:50 -0400


----- Original Message -----
From: "Andre Grueneberg" <andre@???>
To: "James P Roberts" <punster@???>
Cc: "David Woodhouse" <dwmw2@???>; "Matthew Byng-Maddick"
<exim@???>; <exim-users@???>
Sent: Friday, May 21, 2004 2:08 PM
Subject: Re: [Exim] Yahoo DomainKeys...


> --
> James P Roberts wrote:
> > Why bother signing the message DATA at all? Do we really need to verify
> > unchanged contents? Aren't we just trying to confirm that the

connecting
> > host is legitimate to be sending it? Why not only sign the headers?
>
> To prevent replay attacks?! Otherwise a spammer could take the signed
> header lines and add another body. At least I would, if I were a
> spammer. ;)
>
> Andre


So, include a time/date header, to be added by the sending MTA just prior to
sending it, and have the receiving MTA check it after decrypting to make
sure it is sufficiently close to the current time? If the sending MTA
retries, it should delete/replace the previous header with a new one at each
retry, just prior to encrypting. For that matter, why not have the sending
MTA encrypt only this time/date header? All we are really trying to do here
is verify that the sending MTA knows the private key associated with the
public key published via DNS, for the sender's domain, right? Have I
missed something?

Heck, for that matter, include the sending MTA IP address, a copy of the
original sender's domain, and the original sender's IP address, in the
encrypted time/date header. Call it a "domain key header" or something.
Just brainstorming...

X-Domain-Key: encrypt[current-date-time {rewritten-}domain MTA.host.IP
received-date-time sender-domain sender.host.IP {original encrypted
X-Domain-Key: header, if any}]

where encrypt[...] means encrypted with the private key for
{rewritten-}domain.

If this is received from a "Domain Keys"-enabled sender, there will already
be such a header, and it should be retained, in both crypt and decrypt
forms, as part of the new (replacement) header. In this way, anyone
downstream can verify the entire chain, if they like.

If received from a non-participating MTA or MUA, there would be no encrypted
string included, but the raw info on when/where the email was injected from
(and the original un-rewritten sender domain) should be added by any MTA
using the feature. Thus, the chain is initiated by the SMTP server of the
ISP responsible for the originator's domain. (Which should be using SMP
AUTH and so forth to authenticate the source).

Each MTA along the way looks up the public key for the domain claimed by the
sender, decrypts the contents of the X-Domain-Key: header, verifies that:
(a) the first time stamp is reasonably close to the current time, (b) the
"MTA.host.IP" field matches the actual sending host IP, and (c)
"{rewritten-}domain" field matches that claimed in the normal unencrypted
headers. Continue the process iteratively, using the remaining encrypted
string and comparing to the unencrypted data included by the sending MTA,
until you either hit a recursion limit, or run out of strings to decrypt.

At delivery time, regardless of destination (user inbox or another MTA),
replace the incoming X-Domain-Key: header with a new one. As noted above,
the new one should include the old one, so anyone downstream can verify the
entire chain.

What this means is, a forwarder can forward if they either (a) know the
private key for the claimed sender domain, or (b) have their own private
key, and rewrite the sender domain accordingly. Note that the original
sender domain remains available to the recipient, unless the forwarder drops
it. (For example, a mailing list).

OK, that probably has a million holes in it, because I am no expert. Feel
free to pick it apart.

Jim



--__--__--

Message: 12
Date: Sun, 23 May 2004 01:42:05 +0200
From: Toffe <toffe@???>
To: Exim users list <Exim-users@???>
Subject: Re: [Exim] Exim 4.32 + TLS from foreign host

On Sat, May 15, 2004 at 03:24:56PM +0200, Toffe wrote:
>
> In fact no... because in this case Exim goes into open relay mode.
> How can I tell check-rcpt acl to accept hosts authenticated via tls ? Is
> there a way to have auth_over_tls_hosts list according to foreign host ?


I've found this link: http://www.wlug.org.nz/EximSmtpAuth

The explanation is really clear, simple. Now that I've done with this
conf it works well ! And my exim isn't open relay...

So, if you want Exim4 + LDAP + TLS use it ! ;)

Bye.

--
Toffe
UIN #39872819
http://www.nah-ko.org/ - http://www.zrx21.org/

Si l'intelligence artificielle fait une connerie, c'est pas grave,
c'est une connerie artificielle


--__--__--

Message: 13
Date: Sun, 23 May 2004 02:39:34 +0200
From: Andre Grueneberg <andre@???>
To: James P Roberts <punster@???>
Cc: David Woodhouse <dwmw2@???>,
    Matthew Byng-Maddick <exim@???>, exim-users@???
Subject: Re: [Exim] Yahoo DomainKeys...


--
James P Roberts wrote:
> > To prevent replay attacks?! Otherwise a spammer could take the signed
> > header lines and add another body. At least I would, if I were a
> > spammer. ;)
> So, include a time/date header, to be added by the sending MTA just prior

to
> sending it, and have the receiving MTA check it after decrypting to make
> sure it is sufficiently close to the current time?


How do you define "sufficiently close"? 1 hour? 12 h? 1 day? 4 days? 1
week? 1 month? In any case, a spammer is likely to get hands on a valid
"header" -- they do read mailing lists.

Timestamp comparison are only practical in p2p connections with well
syncronized clocks.

> If the sending MTA
> retries, it should delete/replace the previous header with a new one at

each
> retry, just prior to encrypting.


SMTP is a store and forward protocol. We do have multiple steps (backup
MX, DMZ relays ...) in the delivery process without access to the
private key.

> Heck, for that matter, include the sending MTA IP address, a copy of the
> original sender's domain, and the original sender's IP address, in the
> encrypted time/date header. Call it a "domain key header" or something.
> Just brainstorming...


It sounds quite awkward and complicated. I won't try to understand your
plan completely as the starting points are not well thought out.

Andre
--
Beware of Geeks bearing gifs.
--
Content-Description: Digital signature

[ signature.asc of type application/pgp-signature deleted ]
--


--__--__--

Message: 14
Date: Sun, 23 May 2004 13:50:42 +0800
From: hunte@???
To: exim-users@???
Subject: Re: [Exim] Startup

=D2=FD=D3=C3 Steven Lobbezoo <steven@???>:

> Hi,
> I'm just starting to learn exim.
> Installed 4.30 on my debian server.
>
> Could anyone give me an example of how to do
> login in the configuration file (ACL section ?) ?
> I donnot understand how that is done.
> There's no simple sample in the docs.
>
> At the moment all works fine, but I cannot do login
> with my mail clients.
>
> Thanks in advance,
> Steven
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
>
>
>
>



The default configuration should work properly against the system's user.

________________________________________________________
=B1=BE=D3=CA=BC=FE=D3=C9=CC=AB=C6=BD=C8=CB=CA=D9WebMail=CF=B5=CD=B3=B7=A2=
=CB=CD=A3=BAhttp://mail.tplife.com




--__--__--

Message: 15
Date: Sun, 23 May 2004 14:00:36 +0800
From: hunte@???
To: exim-users@???
Subject: Re: [Exim] Startup

Does it answer your question?

Quoting hunte@???:

> Steven Lobbezoo <steven@???>:
>
> > Hi,
> > I'm just starting to learn exim.
> > Installed 4.30 on my debian server.
> >
> > Could anyone give me an example of how to do
> > login in the configuration file (ACL section ?) ?
> > I donnot understand how that is done.
> > There's no simple sample in the docs.
> >
> > At the moment all works fine, but I cannot do login
> > with my mail clients.
> >
> > Thanks in advance,
> > Steven
> >
> > --
> >
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> > details at http://www.exim.org/ ##
> >
> >
> >
> >
>
>
> The default configuration should work properly against the system's user.
>
> ________________________________________________________
> =B1=BE=D3=CA=BC=FE=D3=C9=CC=AB=C6=BD=C8=CB=CA=D9WebMail=CF=B5=CD=B3=B7=A2=

=CB=CD=A3=BAhttp://mail.tplife.com
>
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
>






________________________________________________________
=B1=BE=D3=CA=BC=FE=D3=C9=CC=AB=C6=BD=C8=CB=CA=D9WebMail=CF=B5=CD=B3=B7=A2=
=CB=CD=A3=BAhttp://mail.tplife.com




--__--__--

Message: 16
Date: Sat, 22 May 2004 23:36:14 -0700
From: Rossz Vamos-Wentworth <rossz@???>
To: exim-users@???
Subject: Re: [Exim] deny domains how?

Andy Firman wrote:
> I am trying to figure out how to deny any email from
> the whole SBC network as that company is out of control
> with spam and I am tired of adding all of the SBC
> IP blocks to my local_host_blacklist file.


You'd probably do better by blocking from dynamic ip addresses.

   deny   message       = $sender_host_address is in a black list at
$dnslist_domain\n$dnslist_text\n$dnslist_text
          log_message   = found in $dnslist_domain
          dnslists      = dnyablock.njabl.org


--
Rossz



--__--__--

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##



End of Exim-users Digest