On May 13, 2007, at 8:42 PM, Elias Kesh wrote:
>
> I have a mail server running exim 4.65 connected to the network
> with static
> IP. I have only local users and two domains that I want to receive
> email
> from . I do not want to relay anything.
> However when I run:
>
Amazingly, no one seems to have helped you with this important,
easily exploited problem yet. At least I was able to use your server
to send myself a message just now.
Your acl_check_rcpt seems to be a bit weird to me, possibly due to
numerous attempts to fix the problem (We've all been there, this
chops up a conf like nothing else.) I'd suggest replacing it with the
ACL I pasted below, and modifying that if necessary. Yours is set to
check messages for things you don't allow and if all checks pass,
accept the message. Mine here works the other way around: check if we
should allow the message and if none of the checks work out, deny.
Generally a safer principle imo.
Also, do you know about how to test these things? I usually have a
separate config, testexim.conf say, that I try my edits in, and then
call exim as follows:
exim -C testexim.conf -bhc 1.2.3.4
And then try an smtp session:
mail from: <> (Using an empty envelope sender is fine unless
you're testing your MAIL acl)
rcpt to: <some@???> (Vary this according to if you're testing
local domains, remote domains, etc.)
Which allows me to test the config as if my IP address were 1.2.3.4.
Then, try the same with IP addresses that /should/ be able to relay.
Basically, try the scenarios of incoming e-mail from and to various
defined locations that might occur on your server. and if exim
behaves as expected you can move the conf to the correct location and
SIGHUP exim.
This ACL allows mail sent locally (by calling exim directly) and
relayed for the hosts in the relay_from_hosts list.
It also allows mail to be sent to domains defined in the
local_domains list, and relayed to domains in the relay_to_domains
list. (This is all pretty much standard behaviour.) I've commented it
to show what does what.
acl_check_rcpt:
# Accept local
accept hosts = :
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
# Always accept mail to postmaster
accept local_parts = postmaster
domains = +local_domains
# Accept from local network
accept hosts = +relay_from_hosts
control = submission
# Verify sender domain
require verify = sender
# Deny mails to users that don't exist
deny domains = +local_domains
! verify = recipient
message = Undeliverable address
# Accept domains that we're configured explicitly to relay (or
deliver) for
accept domains = +relay_to_domains : +local_domains
deny message = Relay not permitted
