Re: [exim] Exim Restrict outgoing relay by ip address

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Exim Restrict outgoing relay by ip address
jwexler@??? wrote:
> I am moving our email server from MS Exchange to Exim on Ubuntu 8.04.1.
> Version of Exim is 4.68.
>
> As one of our security layers, we restrict authorization to send/relay email
> via our mail server from approved IP networks only. Whether this is a
> perfect method or not is irrelevant as it is but one of our security layers
> and we do not need to allow relaying from the world.
>
> I need to be able to restrict the sending of outgoing email via our servers
> by IP but need to allow the receipt and delivery of inbound email from any
> IP.
>
> I have spent over 2 weeks scouring the web, reading through the Exim specs
> and doc and other resources and have tried many many ways to achieve this
> goal but to no success yet and am becoming very desperate. I will need to
> give up on Exim if I cannot achieve this and have already invested a huge
> amount of time into this.
>
> In summary:
>
> * Restrict ability to relay outgoing email from our servers by IP (Normal
> encrypted TLS username/password also required of course)
>
> * Allow inbound delivery of email from any IP
>
> Does anyone know whether this can be done and if so how?
>
> I would truly appreciate any help on this.
>
> Regards,
>
> Jeff
>


Jeff,

The reason you aren't finding what you seek may be that Exim ordinarily
uses two separate, but more specific means of restriction. Both are
referenced in the largely self-documenting default configure file:

- For servers or 'pools' of servers:

Simply use the;

hostlist relay_from_hosts =

to authorize those in your 'community' and no others.

Further ...

- For individuals:

Require authentication to send from desktops or laptops, ordinarily via
enforcing TLS connection to port 587 (and no other) with a UID and PWD
Exim considers 'valid'.

The valid user list or DB may be local and/or fully or partially sourced
from any or any mixture of, several places, including LDAP off an MS PDC
or Exchange server if reducing duplication of admin is of interest.
Supported formats range from flat files to heavy-lifter SQL DB's and
everything in between.

Advantage: Your 'roaming' users need not change their MUA settings when
traveling. Unlike port 25, port 587 is rarely blocked to end-users.


As to limiting to source IP in general - Exim can do that, AND by
subsets that consider which incoming local IP, port, and even protocol
used are to match what distant IP(s) as well.

Search for things of this sort:

server_advertise_condition

${if eq{$tls_cipher}

accept condition

${if eq{${uc:$smtp_command_argument}}{CRAM-MD5}

condition = ${if eq{$interface_port}{587}}

!condition = ${if eq{$received_protocol}{smpts}}

hosts       = : +relay_from_hosts


condition = ${lookup{$sender_host_address}lsearch .....

(part of an IP whitelist call here...)


Exim can also enforce a requirement for matching PEM certs instead of,
or in addition to, login UID:PWD.

You dont need to 'give up' on Exim.

You may need to look beyond the Debian-based Ubuntu Exim environment,
and find what you need - and much more - in the 'standard' configurations.

Then either use those, ('standard' Exim instead of the specialized
configurators). Or sort how to apply what you find to the environment
you have chosen.

Not only is all you need 'there' - most of us have been uing it for
years, so it is a surprise you haven't already run across what you seek.

HTH,

Bill