[exim] Authenticated sender change

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Michael L Griffin
Dátum:  
Címzett: exim-users
Tárgy: [exim] Authenticated sender change
Greetings all

A question or two if I may regarding authenticated relay and accountability.

I have managed to add a "X-authenticatedID: $authenticated_id"
header after much ado about nothing. What I want to do now is change
the sender email address (From: email_addie) to the $authenticated_id
which in my case is also the senders email address in order to stop
sender address spoofing. I may want to change the "Reply-To:" as well
if it is set.

Basically what I am wanting to do is change :
"From: John Doe <john@???>" to
"From: John Doe <john@???>"
where "john@???" is the spoofed address and "john@???" is
the true email address which is also the $authenticated_id. I also
need to account for situations where the name is not given but only
the email addie; eg "From: <john@???>". Maybe I should add the spoofed
address as an X-header for tracking?

Any assistance in getting this working with the config included
below would be greatly appreciated by a mere exim n00b like me.

Many thanx for lending me your ears.... or at least your experience
and expertise.

Regards
Michael L Griffin

---------- Forwarded message ----------
Date: 10-Jul-2007 21:13
Subject: exim config
To: milegrin@???

######################################################################
# Environment Variables                                              #
######################################################################


SERVER_IP                    = 207.210.77.223


hide mysql_servers           =
localhost::(/var/run/mysqld/mysqld.sock)/DB_NAME/DB_NAME/DB_PASS


primary_hostname             = mx1.creatronic.com


VIRTUAL_DOMAINS              = SELECT DISTINCT domain FROM domains \
                                  WHERE type = 'local' AND enabled = '1' \
                                  AND domain = '${quote_mysql:$domain}'


RELAY_DOMAINS                = SELECT DISTINCT domain FROM domains \
                                  WHERE type = 'relay' \
                                  AND domain = '${quote_mysql:$domain}'


ALIAS_DOMAINS                = SELECT DISTINCT alias FROM domainalias \
                                  WHERE alias = '${quote_mysql:$domain}'


hostlist      listen_ip      = SERVER_IP


domainlist    local_domains  = @ : \
                                  ${lookup mysql{VIRTUAL_DOMAINS}} : \
                                  ${lookup mysql{ALIAS_DOMAINS}}


domainlist    relay_to_domains = ${lookup mysql{RELAY_DOMAINS}}


hostlist      relay_from_hosts = localhost : 207.210.77.223


######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


#smtp_banner = "FULL_HOSTINFO ESMTP Exim
$version_number+ppsw+$compile_number $tod_full"
smtp_banner                  = "Creatronic CC SMTP Server"


acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_rcpt
#acl_smtp_auth = acl_check_auth
#acl_smtp_mime = acl_check_mime
acl_smtp_data = acl_check_data

receive_timeout = 15m

exim_group                   = mail
exim_user                    = mail
never_users                  = root


trusted_users                = mail:michael
trusted_groups               = mail


# Do a name lookup of the calling host - good for logging and problem solving
host_lookup                  = * : !/etc/exim4/ip-allow


rfc1413_hosts                = *
rfc1413_query_timeout        = 0s
# RFC 822 domain literal format is not a good idea
# spammers are the only ones who really use this
allow_domain_literals = false


helo_allow_chars = _

# If a error message has been frozen it gets removed after 48h
ignore_bounce_errors_after = 2d
auto_thaw = 2h

timeout_frozen_after = 5d

# limits the number of simultaneously open files for single-key lookups
# that use regular files (that is, lsearch, dbm, and cdb)
lookup_open_max = 100

message_size_limit = 15M

# If a message is frozen tell the mailmaster (Could result in a flood of email)
# freeze_tell_mailmaster = true

# Ensure there is enough space otherwise do not accept
# mail till space has been made
check_log_space = 100M
check_spool_space = 100M

# Delay warnings
delay_warning = 4h:12h:24h

# Delay warnings
delay_warning_condition = "${if
match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes}}"

# Abandon queue runs if the load reaches this
deliver_queue_load_max = 15

# Check to see if a domain has any illegal characters
# & reject if it does as it is then not legitimate
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+$

# Retry of DNS lookups
dns_retrans = 0s

# If people reply to error messages rather reply to Postmaster
errors_reply_to = postmaster@???


bounce_return_message = false

# Set maximum number of incoming connections
smtp_accept_max = 500

# checks that there is enough space in the spool directory.s
# partition to accept a message
smtp_check_spool_space = false

# Reserve SMTP connections for local domain (as in smtp_reserve_hosts).
# Good idea for companies with branches or when using multiple servers
smtp_reserve_hosts = 127.0.0.1 : *.creatronic.com

# Set maximum number of incoming connections from a specific host
smtp_accept_max_per_host = 60
#smtp_accept_max_nonmail = 10
# maximum number of waiting SMTP connections.
smtp_connect_backlog = 50

# Message Filter - a file which is used to all messages
system_filter = /etc/exim4/exim-mail_filter

# Accept incoming connections from reserved hosts if load is above this
# (See smtp_reseve_hosts above)
smtp_load_reserve = 20

# system load average is higher than this value, incoming messages from all
# sources are queued, and no automatic deliveries are started.
# This also affect smtp_reserve_hosts
queue_only_load = 25

# Maximum number of queue-running processes that an Exim
# daemon will run simultaneously.
queue_run_max = 20

# Controls parallel delivery of one message to a number of remote hosts.
# If the value is less than 2, parallel delivery is disabled, and Exim does
# all the remote deliveries for a message one by one. Otherwise, if a single
# message has to be delivered to more than one remote host, or if several copies
# have to be sent to the same remote host, up to remote_ max_parallel
# deliveries are done simultaneously.
remote_max_parallel = 200

# Maximum number of received headers allowed for mail loop detection
received_headers_max = 80

# If this option is set greater than zero, it specifies the maximum number of
# original recipients for any message. Additional recipients that are generated
# by aliasing or forwarding do not count. SMTP messages get a 452 response for
# all recipients over the limit; earlier recipients are delivered as normal.
# Non-SMTP messages with too many recipients are failed, and no
deliveries are done.
# Note: The RFCs specify that an SMTP server should accept at least 100 RCPT
# commands in a single message.
# Maximum number of recipients
recipients_max = 40

# When there are a number of remote deliveries for a message, they are sorted by
# domain into the order given and delivered in priority per the list
# The order of the domains denotes their priority
remote_sort_domains = *.creatronic.com : *.co.za : *.org.za : *.za.net
: *.za : *

# Timeout value for SMTP reception
smtp_receive_timeout = 2m

# Split the spool directory into 62 subdirectories.
# Greatly improves performance . especially on busy systems
split_spool_directory = true

# Maximum message size when a message is bounced
# This option is an obsolete synonym for bounce_return_size_limit.
# return_size_limit = 20k
# Limit in bytes on the size of messages that are returned to senders as
# part of bounce messages (Default 100K)
bounce_return_size_limit = 20k

# Redundant pairs of angle brackets round .route-addr. items in addresses are
# stripped. For example, <<xxx@???>> is treated as <xxx@???>.
# If this is in the envelope and the message is passed on to another MTA,
# the excess angle brackets are not passed on. If this option is
# not set, multiple pairs of angle brackets cause a syntax error.
strip_excess_angle_brackets = true

# The trailing dot at the end of a domain in an address is ignored.
# If this is in the envelope and the message is passed on to another MTA,
# the dot is not passed on. If this option is not set, a dot at the end
# of a domain causes a syntax error. However, addresses in header lines are
# checked only when an ACL requests header syntax checking.
strip_trailing_dot = true

# Used to suppress the advertisement of the SMTP PIPELINING extension to
# specific hosts. When PIPELINING is not advertised and smtp_enforce_sync
# is true, an Exim server enforces strict synchronization for each SMTP
# command and response. When PIPELINING is advertised, Exim assumes that
# clients will use it; .out of order. commands that are .expected. do not
# count as protocol errors (see smtp_max_synprot_errors).
pipelining_advertise_hosts = :

# From Exim 4.53, this option is obsolete but kept for backward compatibility
# helo_try_verify_hosts = *

# By default, Exim uses bland messages such as .Administrative prohibition.
# when it rejects SMTP commands for policy reasons. Many sysadmins like
# this because it gives away little information to spammers. However, some
# other syadmins who are applying strict checking policies want to give out
# much fuller information about failures.
# Setting smtp_ return_ error_ details true causes Exim to be more forthcoming.
# (Good for debugging but not recommended for live sites)
smtp_return_error_details = false

# Used to reduce or increase the number of things written to the log files.
# Its arguments are made up of names preceded by plus or minus characters.
#log_selector = +all
log_selector = +all_parents \
                        +smtp_confirmation \
                        +smtp_syntax_error \
                        +deliver_time \
                        +queue_run



################################################################################
#                             ACL CONFIGURATION                                #
#             Specifies access control lists for incoming SMTP mail            #
################################################################################


begin acl


#-<HELO ACL>----------------------------------------------------------------------
acl_check_helo:

    accept hosts = :


    accept hosts = SERVER_IP : +relay_from_hosts


  drop condition = ${if match{$sender_helo_name}{SERVER_IP}{yes}{no} }
     log_message = Rejected - Spammer pretending to be us
         message = "Dropped spammer pretending to be us"
           delay = 5m


  deny condition = ${if isip {$sender_helo_name}{true}{false}}
     log_message = IP Address $sender_helo_name in HELO greeting
         message = "IP address in HELO greeting"
           delay = 3m



accept
#-</HELO ACL>---------------------------------------------------------------------

#-<RCPT ACL>----------------------------------------------------------------------
acl_check_rcpt:

accept hosts = :

  deny   message = Restricted characters in email address
     local_parts = ^[.] : ^.*[@%!/|] : ^.*/\\.\\./
     log_message = DENY : Restricted characters in email address
         domains = +local_domains
           delay = 30s


  drop     hosts = net-iplsearch;/etc/exim4/exim-reject-hosts
         message = Connection Denied for $sender_host_address - blacklisted host
     log_message = Denied $sender_host_address - blacklisted host
           delay = 20s


require verify = sender

  accept domains = +local_domains
     local_parts = postmaster


  deny   message = Connection denied for $sender_address - blacklisted sender
     log_message = Denied $sender_address - blacklisted sender
         senders = lsearch;/etc/exim4/exim-bouncelist
           delay = 30s


# RBL Checking
  deny   message = DNSBL listed at $dnslist_domain\n$dnslist_text
        dnslists = sbl-xbl.spamhaus.org : \
                   list.dsbl.org : \
                   bl.spamcop.net : \
                   dnsbl.ahbl.org : \
                   cn-kr.blackholes.us : \
                   dynablock.njabl.org
           delay = 3m
   !sender_domains = lsearch;/etc/exim4/exim-domain_whitelist


# Legitimate bounces are never sent to more than one recipient
  deny condition = $recipients_count
         message = Legitimate bounces are never sent to more than one recipient.
     log_message = DENY : Legitimate bounces are never sent to more
than one recipient.
         senders = : postmaster@*


# Anti-dictionary attack.  See http://www.configserver.com/free/eximdeny.html
# for a more intelligent method
# If more than 4 unkown recipients are received within a single connection
# It is more than like spammers fishing by trying a dictionary of localparts
  deny condition = ${if >{$rcpt_fail_count}{3} {1}{0}}
         domains = +local_domains
         message = Multiple unknown users - Suspected dictionary attack.
     log_message = DENY : Multiple unknown users ($rcpt_fail_count) -
Suspected dictionary attack.
         !verify = recipient
           delay = ${eval:30*$rcpt_fail_count}s


  accept authenticated  = *
#      add_header = X-Authenticated: $authenticated_sender
      add_header = X-AuthenticatedID: $authenticated_id


  accept domains = +local_domains
         endpass
         message = unknown user
          verify = recipient
      set acl_m0 = $local_part@$domain


  accept domains = +relay_to_domains
         endpass
         message = unrouteable address
          verify = recipient
 #     set acl_m1 = $domain


accept hosts = +relay_from_hosts

  deny   message = authentication required - relay not permitted
     log_message = DENY : authentication required - relay not permitted


#-</RCPT ACL>---------------------------------------------------------------------

#-<AUTH ACL>--------------------------------------------------------------------

acl_check_auth:
# Have nothing to put here - maybe the rewrite?
accept

#-</AUTH ACL>--------------------------------------------------------------------
#-<MIME ACL>----------------------------------------------------------------------

## Causes temp failure - fix it! :
## 2007-03-24 21:25:45 1HVBs0-0007AS-Ur H=ug-out-1314.google.com
[66.249.92.175] F=<milegrin@???> temporarily rejected during
MIME ACL checks: cannot check header contents in ACL for MIME (only
possible in ACL for DATA)
#acl_check_mime:
#  warn   !verify = header_syntax
#  warn   !verify = header_sender
#
#  deny   message = This message contains a MIME error ($demime_reason)
#     log_message = DENY : MIME error ($demime_reason)
#       condition = ${if <{$message_size}{32k}{1}{0}}
#          demime = *
#       condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#
#  deny   message = File type unacceptable (filename: $mime_filename)
#       condition =
${lookup{${lc:${sg{$mime_filename}{^.+\\.([a-zA-Z0-9]+)\$}{\$1}}}} \
#                     lsearch{/etc/exim4/exim-rejected_file_type}{yes}{no}}
#
#accept
#-</MIME ACL>---------------------------------------------------------------------


#-<DATA ACL>----------------------------------------------------------------------
acl_check_data:

# Hosts and authenticated clients listed here will not be scanned by SA & ClamAV
  accept  hosts          =  +relay_from_hosts : SERVER_IP
  accept  authenticated  =  *


#-</DATA ACL>---------------------------------------------------------------------

accept


###############################################################################
#                             ROUTERS CONFIGURATION         #
#                      Specifies how addresses are handled         #
#################################################################################
#            THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!         #
#        An address is passed to each router in turn until it isaccepted.      #
#################################################################################


begin routers

#---------------------------------------------------------------------------------

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
#---------------------------------------------------------------------------------

mailman_router:
  driver = accept
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  local_part_suffix_optional
  local_part_suffix = -bounces : -bounces+* : \
                             -confirm+* : -join : -leave : \
                             -owner : -request : -admin
  transport = mailman_transport
#---------------------------------------------------------------------------------


mysql_vacation:
  driver = accept
  condition = ${if and { {!match {$h_precedence:}{(?i)junk|bulk|list}} \
                           {eq {${lookup mysql{select users.on_vacation \
                           from users,domains \
                           where localpart = '${quote_mysql:$local_part}' \
                           and domain = '${quote_mysql:$domain}' \
                           and users.on_vacation = '1' \
                           and users.domain_id=domains.domain_id}}}{1}
}} {yes}{no} }
  no_verify
  no_expn
  unseen
  transport = virtual_vacation_delivery
#---------------------------------------------------------------------------------


mysql_forward:
  driver = redirect
  check_ancestor
  data = ${lookup mysql{select forward from users,domains \
                           where localpart='${quote_mysql:$local_part}' \
                           and domain='${quote_mysql:$domain}' \
                           and users.domain_id=domains.domain_id \
                           and on_forward = '1'}}
# We explicitly make this condition NOT forward mailing list mail!
  condition = ${if and { {!match {$h_precedence:}{(?i)junk|bulk|list}} \
                           {eq {${lookup mysql{select users.on_forward \
                           from users,domains \
                           where localpart = '${quote_mysql:$local_part}' \
                           and domain = '${quote_mysql:$domain}' \
                           and users.on_forward = '1' \
                           and users.domain_id=domains.domain_id}}}{1}
}} {yes}{no} }
#---------------------------------------------------------------------------------


mysql_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup mysql{select smtp from users,domains \
                           where localpart='${quote_mysql:$local_part}' \
                           and domain='${quote_mysql:$domain}' \
                           and users.domain_id=domains.domain_id \
                           and users.type='alias'}}
#---------------------------------------------------------------------------------


mysql_user:
  driver = accept
  condition = ${if eq{} {${lookup mysql {SELECT concat(pop,'/',smtp) \
                            FROM users,domains \
                           WHERE username = \


'${quote_mysql:$local_part}@${quote_mysql:$domain}'}}}{no}{yes}}
retry_use_local_part
transport = virtual_delivery
#---------------------------------------------------------------------------------

mysql_catchall:
  driver = redirect
  allow_fail
#MLG  data = ${lookup mysql{select smtp from users,domains where
localpart = '*' \
  data = ${lookup mysql{select smtp from users,domains where localpart = '*' \
                           and domain = '${quote_mysql:$domain}' \
                           and users.domain_id = domains.domain_id}}
  retry_use_local_part
  file_transport = virtual_delivery
  reply_transport = address_reply


#---------------------------------------------------------------------------------

virtual_domain_alias:
  driver = redirect
  allow_fail
  data = ${lookup mysql{select concat('${quote_mysql:$local_part}@', domain) \
                           from domains,domainalias \
                           where domainalias.alias = '${quote_mysql:$domain}' \
                           and domainalias.domain_id = domains.domain_id}}
  retry_use_local_part
#---------------------------------------------------------------------------------



###########################################################################
#                             TRANSPORTS CONFIGURATION       #
###########################################################################
#                              ORDER DOES NOT MATTER            #
#            Only one appropriate transport is called for each
delivery.        #
#####################################################################


begin transports

#---------------------------------------------------------------------------------

remote_smtp:
driver = smtp
#---------------------------------------------------------------------------------

virtual_delivery:
  driver = appendfile
  maildir_format = true
  create_directory = true
  directory = ${lookup mysql{select concat(pop,'/',smtp) from users,domains \
                           where localpart = '${quote_mysql:$local_part}' \
                           and domain = '${quote_mysql:$domain}' \
                           and users.domain_id = domains.domain_id}}
  user = 8
  group = 12
  quota = ${lookup mysql{select users.quota from users,domains \
                           where localpart = '${quote_mysql:$local_part}' \
                           and domain = '${quote_mysql:$domain}' \
                           and users.domain_id = domains.domain_id}{${value}M}}
  quota_is_inclusive = false
  quota_size_regex = ,S=(\d+):
  quota_warn_threshold = 75%
  maildir_use_size_file = false
  quota_warn_message = "To: $local_part@$domain\n\
                        Subject: Your mailbox has reached a warning threshold \
                        This message was automatically generated by
the mail delivery software\n\
                        and is sent from an unmonitored address -
please do not reply!\n\n\
                        You are now using over 75% or
${extract{quota}{${address_data}}} of your allocated mail storage
quota.\n\n\
                        If your mailbox fills completely, further
incoming messages sent to $local_part@$domain\n\\
                        will be automatically\n returned to their senders.\n\n\
                        WARNING : Exceeding your quota will result in
a loss of email!!\n\n\
                        Please take note of this and remove unwanted
mail from your mailbox.\n"
#---------------------------------------------------------------------------------


virtual_vacation_delivery:
  driver   = autoreply
  log = /var/spool/exim4/exim_vacation.log
  once =/var/spool/exim4/db/vacation.db
  once_repeat = 1d
  from     = "${local_part}@${domain}"
  to       = ${sender_address}
  subject  = "Autoreply from ${local_part}@${domain}"
  text     = ${lookup mysql{select vacation from users,domains \
                           where domain='${quote_mysql:$domain}' \
                           and localpart='${quote_mysql:$local_part}' \
                           and users.domain_id=domains.domain_id}}
#---------------------------------------------------------------------------------


address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
#---------------------------------------------------------------------------------

address_reply:
driver = autoreply


#################################################################################
#                             RETRY CONFIGURATION         #
#################################################################################


begin retry


# Domain               Error       Retries
# ------               -----       -------


*                      quota
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h



#################################################################################
#                             REWRITE CONFIGURATION         #
#################################################################################


begin rewrite


#################################################################################
#                          AUTHENTICATION CONFIGURATION         #
#################################################################################


begin authenticators

plain_login:
        driver = plaintext
        public_name = PLAIN
        server_condition = ${lookup mysql{SELECT '1' FROM users \
                           WHERE username = '${quote_mysql:$2}' \
                           AND clear = '${quote_mysql:$3}'} {yes}{no}}
        server_set_id = $2


fixed_login:
        driver = plaintext
        public_name = LOGIN
        server_prompts = "Username:: : Password::"
        server_condition = ${lookup mysql{SELECT '1' FROM users \
                           WHERE username = '${quote_mysql:$1}' \
                           AND clear = '${quote_mysql:$2}'} {yes}{no}}
        server_set_id = $1


fixed_cram:
        driver = cram_md5
        public_name = CRAM-MD5
        server_secret = ${lookup mysql{SELECT clear FROM users \
                           WHERE username = '${quote_mysql:$1}'}{$value}fail}
        server_set_id = $1


# End of Exim configuration