Re: [exim] Can't close open relay.

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Marco Wessel
Dátum:  
Címzett: exim-users
CC: Elias Kesh
Tárgy: Re: [exim] Can't close open relay.

On May 13, 2007, at 8:42 PM, Elias Kesh wrote:

>
> I have a mail server running exim 4.65 connected to the network
> with static
> IP. I have only local users and two domains that I want to receive
> email
> from . I do not want to relay anything.
> However when I run:
>


Amazingly, no one seems to have helped you with this important,
easily exploited problem yet. At least I was able to use your server
to send myself a message just now.

Your acl_check_rcpt seems to be a bit weird to me, possibly due to
numerous attempts to fix the problem (We've all been there, this
chops up a conf like nothing else.) I'd suggest replacing it with the
ACL I pasted below, and modifying that if necessary. Yours is set to
check messages for things you don't allow and if all checks pass,
accept the message. Mine here works the other way around: check if we
should allow the message and if none of the checks work out, deny.
Generally a safer principle imo.

Also, do you know about how to test these things? I usually have a
separate config, testexim.conf say, that I try my edits in, and then
call exim as follows:

exim -C testexim.conf -bhc 1.2.3.4

And then try an smtp session:

mail from: <>    (Using an empty envelope sender is fine unless  
you're testing your MAIL acl)
rcpt to: <some@???> (Vary this according to if you're testing  
local domains, remote domains, etc.)


Which allows me to test the config as if my IP address were 1.2.3.4.
Then, try the same with IP addresses that /should/ be able to relay.
Basically, try the scenarios of incoming e-mail from and to various
defined locations that might occur on your server. and if exim
behaves as expected you can move the conf to the correct location and
SIGHUP exim.



This ACL allows mail sent locally (by calling exim directly) and
relayed for the hosts in the relay_from_hosts list.
It also allows mail to be sent to domains defined in the
local_domains list, and relayed to domains in the relay_to_domains
list. (This is all pretty much standard behaviour.) I've commented it
to show what does what.


acl_check_rcpt:

# Accept local
accept hosts = :

   deny    message       = Restricted characters in address
           domains       = +local_domains
           local_parts   = ^[.] : ^.*[@%!/|]


   deny    message       = Restricted characters in address
           domains       = !+local_domains
           local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./



   # Always accept mail to postmaster
   accept  local_parts   = postmaster
           domains       = +local_domains


   # Accept from local network
   accept  hosts         = +relay_from_hosts
           control       = submission


   # Verify sender domain
   require verify        = sender


   # Deny mails to users that don't exist
   deny    domains       = +local_domains
           ! verify      = recipient
           message       = Undeliverable address



   # Accept domains that we're configured explicitly to relay (or  
deliver) for
   accept  domains       = +relay_to_domains : +local_domains



   deny    message       = Relay not permitted