Re: [exim] Blocking non-authenticated senders

Top Page
Delete this message
Reply to this message
Author: Peter Velan
Date:  
To: Exim Users Mailing List
Subject: Re: [exim] Blocking non-authenticated senders
am 20.02.2007 14:22 schrieb Matthias Waffenschmidt:
> On Mon, Feb 19, 2007 at 06:10:33PM +0100, Peter Velan wrote:
>> am 19.02.2007 16:45 schrieb David Woodhouse:
>> > On Mon, 2007-02-19 at 15:06 +0100, Peter Velan wrote:
>> >> all users which are allowed to send via our MTA must authenticate first.
>> >>
>> >> Could I block any non-authenticated senders (forging envelope from like
>> >> "*@ourdomain-#.tld") with the following construction?
>> >>
>> >> ...
>> >> acl_smtp_rcpt = acl_check_rcpt
>> >> ...
>> >> begin acl
>> >> acl_check_rcpt:
>> >> ...
>> >> accept authenticated = *
>> >>
>> >> deny    !authenticated = *
>> >>         senders = *@*.ourdomain-1.tld:*@*.ourdomain-2.tld
>> >> ...

>> >>
>> >> Should I be aware of any side effects?
>> >
>> > You'll be rejecting any mail which is forwarded to one of your users,
>> > but which also originated from one of your users.
>>
>> How that? If one of my users is forwarding with his mailclient than he
>> must authenticate before.
>
> If the forwarding server is not your server, the sender will receive a
> bounce mail.
>
> In more detail:
>
> - your user sends a mail using SMTP AUTH via your mail server to an
> external address
> - the mail server responsible for this domain forwards the mail to
> some recipients including the original sender


Ok, you are right: I have to accept messages from localhost and from my
other servers (all with fix IP, all specified in relay_from_hosts)!

A more complete ACL:

acl_check_rcpt:
  accept hosts = :
  accept local_parts = abuse:postmaster
  accept hosts = +relay_from_hosts
  accept authenticated = *
  deny   !authenticated = *
         senders = *@*.ourdomain-1.tld:*@*.ourdomain-2.tld


(please bear with me if I'm too shortsighted)

I don't see a situation where a foreign server sends me a legit email
with envelope-from = "localpart@???"?

> - your mail server in turn rejects the forwarded mail because it was
> not sent via SMTP AUTH
> - your user will receive an error mail from the forwarding mail server
>
> I would stongly recommend not to implement this kind of blocking.


If the scenario you described above is real, then for sure, it would be
a stupid thing to implement this!

Peter