Re: [exim] How to stop spoofed "From" address

Top Page
Delete this message
Reply to this message
Author: eximlearning
Date:  
To: Exim Mailing List
Subject: Re: [exim] How to stop spoofed "From" address
Thanks Dean. Below is my ACL section (I use cPanel server, so I don't
fully understand it.) Can you help me figure out where your helpful
code will go? -- I assuming right before the other lines that contain
"authenticated"

Also, do you see any conflicting code with other parts of the ACL?


Thanks,
Terry





begin acl





#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :


   # Accept bounces to lists even if callbacks or other checks would fail
   warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
            condition    = \
            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                      {exists 
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                 {yes}{no}}


   accept   condition    = \
            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                      {exists 
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                 {yes}{no}}



   # Accept bounces to lists even if callbacks or other checks would fail
   warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
            condition    = \
            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                      {exists 
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} 
\
                 {yes}{no}}


   accept   condition    = \
            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                      {exists 
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} 
\
                 {yes}{no}}


#if it gets here it isn't mailman

   accept  hosts = *
           authenticated = *



   #if they poped before smtp we just accept
   accept  condition = ${if 
match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if 
eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
         add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}
   accept  hosts = +relay_hosts
       add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}


    #recipient verifications are now done after smtp auth and pop before 
smtp so the users get back bounces instead of
    # a clogged outbox in outlook


#recipient verifications are required for all messages that are not
sent to the local machine
#this was done at multiple users requests
require verify = recipient



require verify = sender/callout=60s


# The only problem with this setup is that if the message is for
multiple users on the same server
# and they are on different unix accounts, the settings for the first
recipient which has spamassassin enabled will be used.
# This shouldn't be a problem 99.9% of the time, however its a very
small price to pay for a massive speed increase.


   warn  domains = ! ${primary_hostname} : +local_domains
     condition = ${if eq 
{${acl_m0}}{1}{0}{${perl{acl_checksa_deliver}{$domain}{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}}}}}
     set acl_m0    = 1
     set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}


   warn  domains = ${primary_hostname}
     condition = ${if eq 
{${acl_m0}}{1}{0}{${perl{acl_checkusersa}{$local_part}{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}}}}}
     set acl_m0    = 1
     set acl_m1    = $local_part



accept domains = +relay_domains

   deny    message = $sender_fullhost is currently not permitted to \
                         relay through this server. Perhaps you \
                         have not logged into the pop/imap server in the \
                         last 30 minutes or do not have SMTP 
Authentication turned on in your email client.



#!!# ACL that is used after the DATA command
check_message:
# Enabling this will make the server non-rfc compliant
# require verify = header_sender
accept hosts = 127.0.0.1 : +relay_hosts

   accept  hosts = *
           authenticated = *


   warn
     condition = ${if eq {${acl_m0}}{1}{1}{0}}
     spam =  ${acl_m1}/defer_ok
     log_message = "SpamAssassin as ${acl_m1} detected message as spam"
     add_header = X-Spam-Subject: ***SPAM*** $h_subject
     add_header = X-Spam-Status: Yes, score=$spam_score
     add_header = X-Spam-Score: $spam_score_int
     add_header = X-Spam-Bar: $spam_bar
     add_header = X-Spam-Report: $spam_report
     add_header = X-Spam-Flag: YES
     set acl_m2 = 1


   warn
   condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
   add_header = X-Spam-Status: No, score=$spam_score
   add_header = X-Spam-Score: $spam_score_int
   add_header = X-Spam-Bar: $spam_bar
   add_header = X-Spam-Flag: NO
     log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam"


deny
     condition = ${if eq {${acl_m0}}{1}{${if 

>{$spam_score_int}{200}{1}{0}}}{0}}

     log_message = "The mail server detected your message as spam and 
has prevented delivery (200)."
     message = "The mail server detected your message as spam and has 
prevented delivery."





accept








Dean Brooks wrote:
> On Sun, Oct 14, 2007 at 01:58:21PM -0500, eximlearning@??? wrote:
>
>> So I guess what I'm saying is how could I go about writing the following
>> rule as an ACL (possibly with a call from acl_smtp_data):
>>
>> "If the connection is SMTP and isn't authenticated, check the "From"
>> header address to see if it contains a local domain, and if it does,
>> reject the message with error:
>
> Well, if you have your local domains in a domainlist, such as:
>
>    domainlist localdomains = mydomain1.com : mydomain2.com

>
> then you could use something like:
>
> deny
>   ! authenticated = *
>   condition = ${if match_domain{${domain:${address:$h_from:}}}{+localdomains}}
>   message   = sorry, external MTA's and unauthenticated MTU's don't have\
>               permission to send email to this server with a header that\
>               states the email is from ${lc:${domain:${address:$h_from:}}}.

>
> Keep in mind that placement of this in your DATA ACL is important. The
> ACL would need to have already accepted email that is within your IP
> space. Otherwise, this will block email from your domain from *everyone*
> who hasn't used SMTP auth. Unless that is what you want, of course.
>
> --
> Dean Brooks
> dean@???
>