Re: [exim] Preventing Sender Forgery .

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Oliver von Bueren
Date:  
À: exim-users
Sujet: Re: [exim] Preventing Sender Forgery .
JDavila@??? wrote:
> How can I prevent Sender Forgery for my server. Alot of people in my
> company are getting e-mails from themselves. Any Ideas will be greatly
> appreciated.
>

Only allow local domains to be used on authenticated SMTP sessions on
the submission port. I'm doing this here since a long time with no
probs. Below is an excerpt of the relevant configuration stuff, stripped
down to the essentials for this problem.

This set up assumes that all messages originating from your domains are
sent out through your own servers and not any other ISP provider mail
relays! Otherwise you run into problems if one of your users sends out a
mail to a recipient within your local_domains, as the ISP smarthost
would then send a message to one of your users with a sender address out
of your local_domains.
But this should not be a problem if you run a submission port anyway,
simply instruct all users on how to connect the your mail server
regardless of their provider/location.

Oliver


# Port 25 and local submissions result in TRUE here
IS_MTA_PORT = or{ \
                   {eq{$interface_port}{25}} \
                   {eq{$interface_port}{-1}} \
                 }


# Use different RCPT ACLs for MTA and MUA
acl_smtp_rcpt = ${if IS_MTA_PORT {acl_check_rcpt}{acl_check_rcpt_mua}}

acl_check_rcpt:
  # Deny if sender uses local_domains as a sender, which is not expected 
here
  deny   sender_domains = +local_domains
         log_message    = SMTP-SENDER-ADDRESS-AUTH-ONLY
         message        = Sender Domain only allowed on authenticated 
submission port sessions


acl_check_rcpt_mua:
  # MUA must authenticate
  deny    message        = Authentication is required to send messages
          log_message    = SMTP-SUBMISSION-NO-AUTHENTICATION
          !authenticated = *