On Tue, 1 Feb 2005, Matthew Newton wrote:
> From: Matthew Newton <mcn4@???>
> To: exim-users@???
> Date: Tue, 1 Feb 2005 17:06:17 +0000
> Subject: [exim] Use of hashes to fix forwarding
>
> I thought I'd share this little bit of configuration with you in case
> it's useful for someone else. Maybe it's been done before, I don't know,
> but when we thought it up here we were rather pleased with ourselves.
>
> Some time before I started work here, the University of Leicester started
> blocking incoming mail that has a sender of our local domains. Apart
> from a few users, this seemed to be a good way of blocking spam.
>
> Unfortunately, this breaks some forwarding situations. Say user A
> on-site sends to user B off-site. If B is forwarding their mail back
> on-site again, then the mail is rejected at our boundary systems because
> it "comes from on-site".
>
> Our new solution is to now sign outgoing mail with an extra header that
> has a hash of the exim message id and the sender address, together with
> a secret. When a message comes back in again from a Leicester address
> the header (if it exists) is checked. If the sending from and the
> message id are the same, then the hashes match and it is let through.
> Otherwise, it is blocked as before.
...good stuff deleted...
> If anyone has any comments about this, especially if you can see any
> problems (there don't seem to be any at the moment), then please let me
> know! I'm not sure if blocking on-site addresses from off-site in
> general is a good idea, especially since I've fixed the spam checking
> system, but that was not my decision.
I don't see any problem with blocking on-site addresses from off-site in
general. However you do this, you must allow authenticated SMTP to relay
anywhere. So you'll need exim accepting authenticated SMTP over TLS on
ports 25, 465 and 587. And document how users set up their mail clients
to use this facility. They will need to use your SMTP servers rather than
relay through their ISP's servers.
I've had private correspondence with others about implementing this here.
It would certainly cut down on cases of identity theft. We do see cases
of identity theft from our equipment and the logs let us identify the
culprit(s). We wouldn't have much chance of tracking down identity theft
from a local Internet cafe. So far we haven't had any users who are smart
enough to realise this. But it's only a matter of time...
Certainly at least one other UK University has been successfully running a
similar scheme for over a year. Although I believe they don't use a hash
signature. Instead they include a simple header. Apparently some external
stuff does break, in particular eBay alerts.
If you want to be ultra-paranoid, you could check the Originator fields of
messages as well as the envelope sender. This would obviously have to be
done in the acl_smtp_data phase. Probably by a perl routine using the
Mailtools perl module for the address parsing.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@??? Phone: +44 1225 386101
