Greetings all
A question or two if I may regarding authenticated relay and accountability.
I have managed to add a "X-authenticatedID: $authenticated_id"
header after much ado about nothing. What I want to do now is change
the sender email address (From: email_addie) to the $authenticated_id
which in my case is also the senders email address in order to stop
sender address spoofing. I may want to change the "Reply-To:" as well
if it is set.
Basically what I am wanting to do is change :
"From: John Doe <john@???>" to
"From: John Doe <john@???>"
where "john@???" is the spoofed address and "john@???" is
the true email address which is also the $authenticated_id. I also
need to account for situations where the name is not given but only
the email addie; eg "From: <john@???>". Maybe I should add the spoofed
address as an X-header for tracking?
Any assistance in getting this working with the config included
below would be greatly appreciated by a mere exim n00b like me.
Many thanx for lending me your ears.... or at least your experience
and expertise.
Regards
Michael L Griffin
---------- Forwarded message ----------
Date: 10-Jul-2007 21:13
Subject: exim config
To: milegrin@???
######################################################################
# Environment Variables #
######################################################################
SERVER_IP = 207.210.77.223
hide mysql_servers =
localhost::(/var/run/mysqld/mysqld.sock)/DB_NAME/DB_NAME/DB_PASS
primary_hostname = mx1.creatronic.com
VIRTUAL_DOMAINS = SELECT DISTINCT domain FROM domains \
WHERE type = 'local' AND enabled = '1' \
AND domain = '${quote_mysql:$domain}'
RELAY_DOMAINS = SELECT DISTINCT domain FROM domains \
WHERE type = 'relay' \
AND domain = '${quote_mysql:$domain}'
ALIAS_DOMAINS = SELECT DISTINCT alias FROM domainalias \
WHERE alias = '${quote_mysql:$domain}'
hostlist listen_ip = SERVER_IP
domainlist local_domains = @ : \
${lookup mysql{VIRTUAL_DOMAINS}} : \
${lookup mysql{ALIAS_DOMAINS}}
domainlist relay_to_domains = ${lookup mysql{RELAY_DOMAINS}}
hostlist relay_from_hosts = localhost : 207.210.77.223
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
#smtp_banner = "FULL_HOSTINFO ESMTP Exim
$version_number+ppsw+$compile_number $tod_full"
smtp_banner = "Creatronic CC SMTP Server"
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_rcpt
#acl_smtp_auth = acl_check_auth
#acl_smtp_mime = acl_check_mime
acl_smtp_data = acl_check_data
receive_timeout = 15m
exim_group = mail
exim_user = mail
never_users = root
trusted_users = mail:michael
trusted_groups = mail
# Do a name lookup of the calling host - good for logging and problem solving
host_lookup = * : !/etc/exim4/ip-allow
rfc1413_hosts = *
rfc1413_query_timeout = 0s
# RFC 822 domain literal format is not a good idea
# spammers are the only ones who really use this
allow_domain_literals = false
helo_allow_chars = _
# If a error message has been frozen it gets removed after 48h
ignore_bounce_errors_after = 2d
auto_thaw = 2h
timeout_frozen_after = 5d
# limits the number of simultaneously open files for single-key lookups
# that use regular files (that is, lsearch, dbm, and cdb)
lookup_open_max = 100
message_size_limit = 15M
# If a message is frozen tell the mailmaster (Could result in a flood of email)
# freeze_tell_mailmaster = true
# Ensure there is enough space otherwise do not accept
# mail till space has been made
check_log_space = 100M
check_spool_space = 100M
# Delay warnings
delay_warning = 4h:12h:24h
# Delay warnings
delay_warning_condition = "${if
match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes}}"
# Abandon queue runs if the load reaches this
deliver_queue_load_max = 15
# Check to see if a domain has any illegal characters
# & reject if it does as it is then not legitimate
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+$
# Retry of DNS lookups
dns_retrans = 0s
# If people reply to error messages rather reply to Postmaster
errors_reply_to = postmaster@???
bounce_return_message = false
# Set maximum number of incoming connections
smtp_accept_max = 500
# checks that there is enough space in the spool directory.s
# partition to accept a message
smtp_check_spool_space = false
# Reserve SMTP connections for local domain (as in smtp_reserve_hosts).
# Good idea for companies with branches or when using multiple servers
smtp_reserve_hosts = 127.0.0.1 : *.creatronic.com
# Set maximum number of incoming connections from a specific host
smtp_accept_max_per_host = 60
#smtp_accept_max_nonmail = 10
# maximum number of waiting SMTP connections.
smtp_connect_backlog = 50
# Message Filter - a file which is used to all messages
system_filter = /etc/exim4/exim-mail_filter
# Accept incoming connections from reserved hosts if load is above this
# (See smtp_reseve_hosts above)
smtp_load_reserve = 20
# system load average is higher than this value, incoming messages from all
# sources are queued, and no automatic deliveries are started.
# This also affect smtp_reserve_hosts
queue_only_load = 25
# Maximum number of queue-running processes that an Exim
# daemon will run simultaneously.
queue_run_max = 20
# Controls parallel delivery of one message to a number of remote hosts.
# If the value is less than 2, parallel delivery is disabled, and Exim does
# all the remote deliveries for a message one by one. Otherwise, if a single
# message has to be delivered to more than one remote host, or if several copies
# have to be sent to the same remote host, up to remote_ max_parallel
# deliveries are done simultaneously.
remote_max_parallel = 200
# Maximum number of received headers allowed for mail loop detection
received_headers_max = 80
# If this option is set greater than zero, it specifies the maximum number of
# original recipients for any message. Additional recipients that are generated
# by aliasing or forwarding do not count. SMTP messages get a 452 response for
# all recipients over the limit; earlier recipients are delivered as normal.
# Non-SMTP messages with too many recipients are failed, and no
deliveries are done.
# Note: The RFCs specify that an SMTP server should accept at least 100 RCPT
# commands in a single message.
# Maximum number of recipients
recipients_max = 40
# When there are a number of remote deliveries for a message, they are sorted by
# domain into the order given and delivered in priority per the list
# The order of the domains denotes their priority
remote_sort_domains = *.creatronic.com : *.co.za : *.org.za : *.za.net
: *.za : *
# Timeout value for SMTP reception
smtp_receive_timeout = 2m
# Split the spool directory into 62 subdirectories.
# Greatly improves performance . especially on busy systems
split_spool_directory = true
# Maximum message size when a message is bounced
# This option is an obsolete synonym for bounce_return_size_limit.
# return_size_limit = 20k
# Limit in bytes on the size of messages that are returned to senders as
# part of bounce messages (Default 100K)
bounce_return_size_limit = 20k
# Redundant pairs of angle brackets round .route-addr. items in addresses are
# stripped. For example, <<xxx@???>> is treated as <xxx@???>.
# If this is in the envelope and the message is passed on to another MTA,
# the excess angle brackets are not passed on. If this option is
# not set, multiple pairs of angle brackets cause a syntax error.
strip_excess_angle_brackets = true
# The trailing dot at the end of a domain in an address is ignored.
# If this is in the envelope and the message is passed on to another MTA,
# the dot is not passed on. If this option is not set, a dot at the end
# of a domain causes a syntax error. However, addresses in header lines are
# checked only when an ACL requests header syntax checking.
strip_trailing_dot = true
# Used to suppress the advertisement of the SMTP PIPELINING extension to
# specific hosts. When PIPELINING is not advertised and smtp_enforce_sync
# is true, an Exim server enforces strict synchronization for each SMTP
# command and response. When PIPELINING is advertised, Exim assumes that
# clients will use it; .out of order. commands that are .expected. do not
# count as protocol errors (see smtp_max_synprot_errors).
pipelining_advertise_hosts = :
# From Exim 4.53, this option is obsolete but kept for backward compatibility
# helo_try_verify_hosts = *
# By default, Exim uses bland messages such as .Administrative prohibition.
# when it rejects SMTP commands for policy reasons. Many sysadmins like
# this because it gives away little information to spammers. However, some
# other syadmins who are applying strict checking policies want to give out
# much fuller information about failures.
# Setting smtp_ return_ error_ details true causes Exim to be more forthcoming.
# (Good for debugging but not recommended for live sites)
smtp_return_error_details = false
# Used to reduce or increase the number of things written to the log files.
# Its arguments are made up of names preceded by plus or minus characters.
#log_selector = +all
log_selector = +all_parents \
+smtp_confirmation \
+smtp_syntax_error \
+deliver_time \
+queue_run
################################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
################################################################################
begin acl
#-<HELO ACL>----------------------------------------------------------------------
acl_check_helo:
accept hosts = :
accept hosts = SERVER_IP : +relay_from_hosts
drop condition = ${if match{$sender_helo_name}{SERVER_IP}{yes}{no} }
log_message = Rejected - Spammer pretending to be us
message = "Dropped spammer pretending to be us"
delay = 5m
deny condition = ${if isip {$sender_helo_name}{true}{false}}
log_message = IP Address $sender_helo_name in HELO greeting
message = "IP address in HELO greeting"
delay = 3m
accept
#-</HELO ACL>---------------------------------------------------------------------
#-<RCPT ACL>----------------------------------------------------------------------
acl_check_rcpt:
accept hosts = :
deny message = Restricted characters in email address
local_parts = ^[.] : ^.*[@%!/|] : ^.*/\\.\\./
log_message = DENY : Restricted characters in email address
domains = +local_domains
delay = 30s
drop hosts = net-iplsearch;/etc/exim4/exim-reject-hosts
message = Connection Denied for $sender_host_address - blacklisted host
log_message = Denied $sender_host_address - blacklisted host
delay = 20s
require verify = sender
accept domains = +local_domains
local_parts = postmaster
deny message = Connection denied for $sender_address - blacklisted sender
log_message = Denied $sender_address - blacklisted sender
senders = lsearch;/etc/exim4/exim-bouncelist
delay = 30s
# RBL Checking
deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
dnslists = sbl-xbl.spamhaus.org : \
list.dsbl.org : \
bl.spamcop.net : \
dnsbl.ahbl.org : \
cn-kr.blackholes.us : \
dynablock.njabl.org
delay = 3m
!sender_domains = lsearch;/etc/exim4/exim-domain_whitelist
# Legitimate bounces are never sent to more than one recipient
deny condition = $recipients_count
message = Legitimate bounces are never sent to more than one recipient.
log_message = DENY : Legitimate bounces are never sent to more
than one recipient.
senders = : postmaster@*
# Anti-dictionary attack. See http://www.configserver.com/free/eximdeny.html
# for a more intelligent method
# If more than 4 unkown recipients are received within a single connection
# It is more than like spammers fishing by trying a dictionary of localparts
deny condition = ${if >{$rcpt_fail_count}{3} {1}{0}}
domains = +local_domains
message = Multiple unknown users - Suspected dictionary attack.
log_message = DENY : Multiple unknown users ($rcpt_fail_count) -
Suspected dictionary attack.
!verify = recipient
delay = ${eval:30*$rcpt_fail_count}s
accept authenticated = *
# add_header = X-Authenticated: $authenticated_sender
add_header = X-AuthenticatedID: $authenticated_id
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
set acl_m0 = $local_part@$domain
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
# set acl_m1 = $domain
accept hosts = +relay_from_hosts
deny message = authentication required - relay not permitted
log_message = DENY : authentication required - relay not permitted
#-</RCPT ACL>---------------------------------------------------------------------
#-<AUTH ACL>--------------------------------------------------------------------
acl_check_auth:
# Have nothing to put here - maybe the rewrite?
accept
#-</AUTH ACL>--------------------------------------------------------------------
#-<MIME ACL>----------------------------------------------------------------------
## Causes temp failure - fix it! :
## 2007-03-24 21:25:45 1HVBs0-0007AS-Ur H=ug-out-1314.google.com
[66.249.92.175] F=<milegrin@???> temporarily rejected during
MIME ACL checks: cannot check header contents in ACL for MIME (only
possible in ACL for DATA)
#acl_check_mime:
# warn !verify = header_syntax
# warn !verify = header_sender
#
# deny message = This message contains a MIME error ($demime_reason)
# log_message = DENY : MIME error ($demime_reason)
# condition = ${if <{$message_size}{32k}{1}{0}}
# demime = *
# condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#
# deny message = File type unacceptable (filename: $mime_filename)
# condition =
${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}} \
# lsearch{/etc/exim4/exim-rejected_file_type}{yes}{no}}
#
#accept
#-</MIME ACL>---------------------------------------------------------------------
#-<DATA ACL>----------------------------------------------------------------------
acl_check_data:
# Hosts and authenticated clients listed here will not be scanned by SA & ClamAV
accept hosts = +relay_from_hosts : SERVER_IP
accept authenticated = *
#-</DATA ACL>---------------------------------------------------------------------
accept
###############################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
#################################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it isaccepted. #
#################################################################################
begin routers
#---------------------------------------------------------------------------------
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
#---------------------------------------------------------------------------------
mailman_router:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin
transport = mailman_transport
#---------------------------------------------------------------------------------
mysql_vacation:
driver = accept
condition = ${if and { {!match {$h_precedence:}{(?i)junk|bulk|list}} \
{eq {${lookup mysql{select users.on_vacation \
from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and users.on_vacation = '1' \
and users.domain_id=domains.domain_id}}}{1}
}} {yes}{no} }
no_verify
no_expn
unseen
transport = virtual_vacation_delivery
#---------------------------------------------------------------------------------
mysql_forward:
driver = redirect
check_ancestor
data = ${lookup mysql{select forward from users,domains \
where localpart='${quote_mysql:$local_part}' \
and domain='${quote_mysql:$domain}' \
and users.domain_id=domains.domain_id \
and on_forward = '1'}}
# We explicitly make this condition NOT forward mailing list mail!
condition = ${if and { {!match {$h_precedence:}{(?i)junk|bulk|list}} \
{eq {${lookup mysql{select users.on_forward \
from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and users.on_forward = '1' \
and users.domain_id=domains.domain_id}}}{1}
}} {yes}{no} }
#---------------------------------------------------------------------------------
mysql_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup mysql{select smtp from users,domains \
where localpart='${quote_mysql:$local_part}' \
and domain='${quote_mysql:$domain}' \
and users.domain_id=domains.domain_id \
and users.type='alias'}}
#---------------------------------------------------------------------------------
mysql_user:
driver = accept
condition = ${if eq{} {${lookup mysql {SELECT concat(pop,'/',smtp) \
FROM users,domains \
WHERE username = \
'${quote_mysql:$local_part}@${quote_mysql:$domain}'}}}{no}{yes}}
retry_use_local_part
transport = virtual_delivery
#---------------------------------------------------------------------------------
mysql_catchall:
driver = redirect
allow_fail
#MLG data = ${lookup mysql{select smtp from users,domains where
localpart = '*' \
data = ${lookup mysql{select smtp from users,domains where localpart = '*' \
and domain = '${quote_mysql:$domain}' \
and users.domain_id = domains.domain_id}}
retry_use_local_part
file_transport = virtual_delivery
reply_transport = address_reply
#---------------------------------------------------------------------------------
virtual_domain_alias:
driver = redirect
allow_fail
data = ${lookup mysql{select concat('${quote_mysql:$local_part}@', domain) \
from domains,domainalias \
where domainalias.alias = '${quote_mysql:$domain}' \
and domainalias.domain_id = domains.domain_id}}
retry_use_local_part
#---------------------------------------------------------------------------------
###########################################################################
# TRANSPORTS CONFIGURATION #
###########################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each
delivery. #
#####################################################################
begin transports
#---------------------------------------------------------------------------------
remote_smtp:
driver = smtp
#---------------------------------------------------------------------------------
virtual_delivery:
driver = appendfile
maildir_format = true
create_directory = true
directory = ${lookup mysql{select concat(pop,'/',smtp) from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and users.domain_id = domains.domain_id}}
user = 8
group = 12
quota = ${lookup mysql{select users.quota from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and users.domain_id = domains.domain_id}{${value}M}}
quota_is_inclusive = false
quota_size_regex = ,S=(\d+):
quota_warn_threshold = 75%
maildir_use_size_file = false
quota_warn_message = "To: $local_part@$domain\n\
Subject: Your mailbox has reached a warning threshold \
This message was automatically generated by
the mail delivery software\n\
and is sent from an unmonitored address -
please do not reply!\n\n\
You are now using over 75% or
${extract{quota}{${address_data}}} of your allocated mail storage
quota.\n\n\
If your mailbox fills completely, further
incoming messages sent to $local_part@$domain\n\\
will be automatically\n returned to their senders.\n\n\
WARNING : Exceeding your quota will result in
a loss of email!!\n\n\
Please take note of this and remove unwanted
mail from your mailbox.\n"
#---------------------------------------------------------------------------------
virtual_vacation_delivery:
driver = autoreply
log = /var/spool/exim4/exim_vacation.log
once =/var/spool/exim4/db/vacation.db
once_repeat = 1d
from = "${local_part}@${domain}"
to = ${sender_address}
subject = "Autoreply from ${local_part}@${domain}"
text = ${lookup mysql{select vacation from users,domains \
where domain='${quote_mysql:$domain}' \
and localpart='${quote_mysql:$local_part}' \
and users.domain_id=domains.domain_id}}
#---------------------------------------------------------------------------------
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
#---------------------------------------------------------------------------------
address_reply:
driver = autoreply
#################################################################################
# RETRY CONFIGURATION #
#################################################################################
begin retry
# Domain Error Retries
# ------ ----- -------
* quota
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
#################################################################################
# REWRITE CONFIGURATION #
#################################################################################
begin rewrite
#################################################################################
# AUTHENTICATION CONFIGURATION #
#################################################################################
begin authenticators
plain_login:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{SELECT '1' FROM users \
WHERE username = '${quote_mysql:$2}' \
AND clear = '${quote_mysql:$3}'} {yes}{no}}
server_set_id = $2
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT '1' FROM users \
WHERE username = '${quote_mysql:$1}' \
AND clear = '${quote_mysql:$2}'} {yes}{no}}
server_set_id = $1
fixed_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{SELECT clear FROM users \
WHERE username = '${quote_mysql:$1}'}{$value}fail}
server_set_id = $1
# End of Exim configuration
