[exim] rogue lusers adding domains in a hosting environment

Top Page
Delete this message
Reply to this message
Author: Stanislaw Halik
Date:  
To: exim-users
Subject: [exim] rogue lusers adding domains in a hosting environment
Heya,

I found out something just recently and wanted to share with you guys:

The problem:

On our hosting service, lusers have a possibility of adding domains for
inbound mail. A rogue luser has a possibility of adding somebody else's
domain. Or worse, something very popular, like gmail.com.

When a luser adds such a domain and creates a catchall record, mail is
just passed to him.

Prerequisite:

A DNS server that doesn't treat such domains as local. named running on
localhost will do with help of views.

Solution:

domainlist global_domains = dsearch;EXP_GLOBAL_DOMAINS
domainlist virtual_domains = dsearch;EXP_DOMAINS
domainlist local_domains = ${if or{ \
                              { match_domain{$domain}{+global_domains} } \
                              { and { \
                                { match_domain{$domain}{+virtual_domains} } \
                                { match{${lookup dnsdb{mx=$domain}{$value}fail}}{\N(?mi)^\d+ (?:mx\.domain\.pl|fancyname\.domain\.com)$\N}} \
                              }}}{$domain}{}}


A bit of explanation:

"global_domains" are assigned by us, no lookup is required.
"virtual_domains" are these added by lusers from whose potential abuse
we need to protect ourselves.

Caveats:

- Only the MX record is checked. This isn't a problem for me myself, but
    has to be taken into account.
- No MX records results in a defer. Isn't that bad, really, as some DNS
    errors (network down, recursion failed) can (sometimes) be recognized
    as NXDOMAIN by (some) resolvers.


Feedback is, as always, welcome.

-- 
Unix stuff      :: http://tehran.lain.pl
Yet Another RBL :: http://rbl.lain.pl