RE: [exim] Restricting SMTP access

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Edward Kay
Date:  
À: exim-users
Sujet: RE: [exim] Restricting SMTP access
> Fair enough. Can't you put the "deny hosts = !+relay_hosts" after these
> checks?


I'm afraid this wouldn't help as the message would have already been
accepted by "accept domains = +local_domains". (The problem is spammers
connect and set both the sender and recipient addresses to be in a local
domain).

I think the solution may be to remove rules rather than add them. Currently
the ACL is:

accept hosts = :

require verify = sender
accept domains = +local_domains
endpass
message = "The recipient cannot be verified. Please check all recipients
of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts


  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}


  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication
turned on in your email client.
          authenticated = *


  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication
turned on in your email client.



I propose removing some of the earlier checks giving:

accept hosts = :

require verify = sender

accept hosts = +relay_hosts

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}


  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication
turned on in your email client.
          authenticated = *


  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication
turned on in your email client.



This should allow the relay hosts before needing to do the POP-before-SMTP
check.

Testing this however, is proving troublesome. I've saved exim.conf with the
above and am testing with exim -bh <IP-address>. Despite giving an IP
address that is listed in /etc/relayhosts (and so in +relay_hosts), the
output says "host in "+relay_hosts"? no (end of list)".

Any ideas, especially with it failing under exim -bh?

> A more radical solution which may be overkill for your situation but is
> good in the general case is to use something like Tony Finch's fantastic
> "personalities" idea:
>
> http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-exi

mconf/paper.html#3.%20Multiple%20personalities

This is indeed interesting but, I feel, over the top for my setup.


--

PS: Tim, thanks for producing http://www.webcamsinnorway.com/. I used the
site extensively before my trip there in 2004!