[exim] SMTP_VRFY Acl help?

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: nikd
Data:  
Para: exim-users
Asunto: [exim] SMTP_VRFY Acl help?

Hey guys,

we use this spam filter called ModusGate (pretty good product. very
efficient at cutting down the spam, but could use more logging/search
features, and allow more customization).

The problem is, that it uses a per user license. So for this reason, I need
to have it verify that the addresses it is receiving mail for are verified
with the DA server prior to creating an account on the ModusGate server for
the address. It can use SMTP or SMTP_VRFY. Right now, I have a domain setup
using SMTP_VRFY, and it is creating accounts for all incoming emails.. which
means that all the dictionary attacks that spammers use are using up user
licenses. Obviously, I don't want to enable SMTP_VRFY for all incoming
connections, as that would open us up to dictionary farming.

In any case, I was hoping one of you guys could help me set this up. I'm
pretty n00bish at this, so you'll have to be very patient with me. I've
tried my best to get it working by myself, but I'm at the end of my skills,
and need some help now. My exim.conf isn't default, which is probably why
I'm having trouble figuring it out. It was created as part of a control
panel install (DirectAdmin), and has lots of customizations.

The ModusGate documentation has the following to say on the subject. The
specific mention of Exim leads me to believe that I'll be needed to play
around with the ACLs in exim.conf.

http://kb.vircom.com/Kbase/print.asp?id=1263&Lang=1&SID=
-------------------
Quote:
Product: ModusGate

Version & Build: All

ModusGate can be configured to work with most Unix-based and Windows MTA
servers. This is achieved by using the forward lookup option (Automatically
populate user list) found in the Console, under Connection - Properties -
General. This setting establishes the type of communication that will be
used between ModusGate and the mail and/or authentication server to
determine if the recipient address exists on the local system or not:

If the response from the mail/authentication server is an invalid mailbox
type error, Modus rejects the message and bounces it back to the sending
server with a delivery failure report, thus providing security for your mail
server and reducing its load at the same time.
If the address does exist, Modus accepts the message for processing and
sends it to the mail server for local delivery (assuming it's not
quarantined or deleted because of content, based on ModusGate's settings)
If there is no specific invalid mailbox response from the mail server, the
address is assumed to be good and is accepted and processed by Modus

This latter behavior often occurs when using a simple SMTP connection for
the forward lookup and it depends entirely on how the mail server itself
handles invalid addresses. The downside to this behavior is that mailboxes
for invalid names automatically created on the ModusGate server and counted
towards your licensed user limit.

To prevent this from happening, it is recommended that you use one of the
other selections such as SMTP_VRFY or OpenLDAP, if your server and/or
network configuration supports the use of these options. For example, most
mail servers do not natively support SMTP_VRFY but some can be tweaked to
accept it (e.g. by making a change in the Registry). To find out of your
mail server can use this option, please consult your product manual and/or
website for configuration details. NOTE: For information about Exim server
configuration, go to http://www.exim.org/

The following is a list of available forward lookup or authentication
options. The one you should use depends on what your mail server is able to
support:

SMTP: This provides no authentication (see above). It simply allows a
straight SMTP connection between ModusGate and the mail server and relies on
the mail server itself to reject messages sent to invalid addresses. Use
this setting only if the mail server does not support one of the other
authentication options. Otherwise, consider using Disabled (see below).

SMTP_VRFY: Use this setting only if the mail server supports it (possibly by
making a change in the Registry - consult your mail server documentation for
configuration details)

Open LDAP: This is the recommended method for most mail servers that support
LDAP (excluding Exchange and Lotus)

Disabled: This can be used if one of the above settings is not a viable
option and if the SMTP connection does not provide enough security for your
system. This setting turns off the automatic mailbox creation and requires
that you manually enter the valid user names in the Users panel of the
ModusGate Console. While it requires more work to set up, it offers
protection from abuse for both the ModusGate and the mail server by limiting
the permitted mail to only the addresses specified.
-----------


This is what I have in the "ACL Section" of my exim.conf:
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
#acl_smtp_vrfy = permit_vrfy

# define local lists

domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains 
domainlist whitelist_from = lsearch;/etc/virtual/whitelist_from       
domainlist local_domains = lsearch;/etc/virtual/domains               
domainlist relay_domains = lsearch;/etc/virtual/domains : localhost   
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains     
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1 : 
[modusgate IP]
hostlist auth_relay_hosts = *



Thanks a lot for any help you can provide.
-nik

--
View this message in context: http://www.nabble.com/SMTP_VRFY-Acl-help--tp18820261p18820261.html
Sent from the Exim Users mailing list archive at Nabble.com.