Re: [exim] after server_set_id it becomes <user>@<primaryhos…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: W B Hacker
Dátum:  
Címzett: exim users
Tárgy: Re: [exim] after server_set_id it becomes <user>@<primaryhostname> insteady of <user>@<domainname>
Paul Ooi wrote:

> Hey guys,
>
>     I managed to solve it by putting this line in main configuration;
>     local_from_check = false


That fixes your immediate problem, but is a band-aid you should not need if all
else is OK. You need to dig deeper.

For starters IF you must have shell or local users, (with different rules and
routers and transports than remote submission) they should not have the same
user@domain that you might use from a remote box with a submission MUA.

You can DO this, but it is a needless *N*X legacy that complicates rules and
settings.

It makes many things simpler and easier to configure securely if you treat all
mail users as 'virtual' and do not use local accounts for routine bothway mail.

Best if only the chron'ed reports are local originators and there are aliases
the point *OFF BOX* for 'postmaster', 'abuse', 'webmaster', etc.

>
>     I would like to know there is there any way to verify the sender smtp 
> username is matched to sender email address? It's to avoid the sender spoof 
> the email address from other people.

>
> Paul


Expect spoofed senders, spoofed HELO, spoofed domains, bogus recipients,
deliberately malformed messages, headers that lie, and everything else.
Even IP's can be forged. OTOH, Exim has great tools for detecting all such
probable attempts and more, and let's you decide how best to deal with them
intelligently for *your* environment.

It is not necessarily a 'bad thing' if a user with more than one account - not
necessarily even all on your server - wants replies to go to his *other*
account, and/or need an alias or forwarder in place.

As to 'vetting' submission from MUA's, there are lots of ways, but matching
furnished-user@domain or furnished-HELO to originating IP is nowhere near
enough, nor of much use when most far-end's are behind NAT'ed DHCP, and/or may
be mobile.

Conversely, AUTH methods that work most securely, such as issuing S-codes or
installing and requiring matching per-user PEM certs on server and remote MUA,
also place severe restrictions on the selection of compatible MUA's, *and*
end-user skills and common sense. Usually too much admin work for the apparent
gain.

Much simpler to insure that you absolutely require authentication for remote-MUA
submission, that it is DECENT authentication, and that you only accept it on
port 587 over TLS from your trusted user community.

Keep it simple. Plain auth under SSL/TLS is better than most folks often want to
admit, as the odds of a remote client being compromised by any of an number of
means, starting with simply sitting down in front of someone's PC when their
head is turned, are orders of magnitude greater than the odds of the server
itself being hacked. And that is *per each* remote workstation!

Don't forget that the login user name does NOT have to be of the form
'user@domain'. You can configure your authenticators and MUA far more flexibly
than that.

HTH,

Bill Hacker

>
>
> ----- Original Message -----
> From: "W B Hacker" <wbh@???>
> To: "exim users" <exim-users@???>
> Sent: Monday, July 17, 2006 13:14
> Subject: Re: [exim] after server_set_id it becomes <user>@<primaryhostname>
> insteady of <user>@<domainname>
>
>
>>Paul Ooi wrote:
>>
>>
>>>Dear All,
>>>
>>>    I am having problem with my Exim. when I configured server_set_id in
>>>SMTP login, it shows,

>>>
>>>    2006-07-17 11:32:43 1G2Jqd-000228-CO <= "paul@domain"@hostname
>>>H=(PAULOOI) [203.223.134.xx] P=esmtpa A=auth_login:paul@???
>>>S=1391 id=022501c6a954$af989fc0$5186dfcb@PAULOOI

>>>
>>>    How can I make it paul@domain instead of paul@domain@hostname? The 
>>>exim
>>>running support multiple domains.

>>>
>>>Paul
>>>
>>>
>>
>>Fisrt, grep your configure file for quotes, find the place you used those
>>incorrectly to produce the above error, and fix that.
>>
>>IF it persiste, then see if you are 'qualifying' users (adding a missing
>><domain>.<tld>) where you do not wish to.
>>
>>Fixing the quote error may obviate the problem, is that is 'hiding' the
>>already-present information from Exim, hence it adds it.
>>
>>Bill
>>
>>
>>--
>>## List details at http://www.exim.org/mailman/listinfo/exim-users
>>## Exim details at http://www.exim.org/
>>## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
>
>