RE: [exim] Need Help to Solve security hole

Top Page
Delete this message
Reply to this message
Author: Herb Martin
Date:  
To: exim-users
Subject: RE: [exim] Need Help to Solve security hole

> >very beginning I did not configure SMTP auth so every one
> that connect
> >to my port 25 can send whatever they want,
>
> Very bad idea. Please take the host offline immediately and
> repeat your experiments on a host that is not publicly reachable.
>
> >I understand that leave SMTP without an auth method is a
> security hole,
> >so I should reinstall the complete server because even if I
> deinstall
> >exim and reinstall it, it goes on sending a lot of stuff.


I believe there is a misconception here by the OP (not
by Marc the last poster:

One can have Exim with NO AUTHENTICATION but with relaying
denied to all (or to all except "relay_to_domains" or
from relay_from_hosts).

No authentication methods means that NO ONE can authenticate,
it is separate from "unauthenticated users can relay."

I am new to exim -- so maybe there are holes in my understanding
but here is my relevant piece of config (empty relay_to_domains
and relay_from_hosts lists) -- it is very similar to the defaults
since I started from those:

######################################################
# it's for one of our domains AND one of our users
accept  domains       = +local_domains
        endpass
        verify        = recipient


# we relay TO these domains -- but this list is currently EMPTY
accept  domains       = +relay_to_domains
        endpass
        verify        = recipient


# relay for these HOSTS -- but this list is now purely LOCAL hosts
accept  hosts         = +relay_from_hosts


# Accept if the message arrived over an authenticated connection ***
accept authenticated = *

# if not authenticated and not in the "relay" lists, DENY "relay not
permitted
deny    message       = relay not permitted


##########################################################


If you authenticate successfully you may relay, but otherwise
you may merely send to "out domains/users". This worked fine
for several days WITHOUT authentication until I could set that
up.

--
Herb Martin
HerbM@??? http://LearnQuick.Com
Accelerated MCSE in a Week Seminars