Re: [exim] Exim Restrict outgoing relay by ip address

Top Page
Delete this message
Reply to this message
Author: jwexler
Date:  
To: 'exim users'
Subject: Re: [exim] Exim Restrict outgoing relay by ip address
Bill (W.B. Hacker) - Thank you immensely. Over the last 3 days, I have been
working on this based on the direction that you provided and appear to
finally have finally achieved our primary security objectives (outlined in
my initial post).

It seems that the $smtp_command in the case of email for non-TLS relaying is
of the form MAIL FROM: <> (where there is a space between the colon and the
first "<". The address being between <>.)
Regular inbound email that is not for relay appears to be of the form MAIL
FROM:<> where there is no space between the colon and the first "<".
Thus, I distinguished between the two by checking for a match on these two
strings (i.e., whether a space exists or not).

Question 1: Does anyone know if this is always the case (i.e., that a space
is present for receipt of outbound relay email but not present for inbound
regular email for local delivery)? I am hoping that the difference of a
space is always the case so that they can be distinguished in this way.

Question 2: Is $received_protocol always ESMTP for inbound email that is for
local delivery and SMTPS for outgoing encrypted TLS relay email?

By the way, in past weeks, I had also tried to restrict authorizations via
the auth_advertise_hosts variable (and other methods) as well but had not
been able to get it working that way. I also had not gotten any results when
I tried to use acl_smtp_auth and subsequently acl_smtp_mailauth. I wonder if
it is because there was a final "accept" in the acl_check_mail acl or if it
is because I am using Ubuntu.

The following is the solution that worked for us:

#### Setting additions for /etc/exim4.conf.template of Ubuntu.

###MAIN CONFIGURATION SETTINGS section:

MAIN_TLS_ENABLE = yes

# Note that there is a standard setting later in the script that will check
whether MAIN_RELAY_NETS is defined and if so will set relay_from_hosts =
MAIN_RELAY_NETS
# The following are some examples of IP address forms. Separate with a
colon. The one that ends in .0/24 and .0.0/24 allow for matching multiple
IPs.
MAIN_RELAY_NETS = a.b.c.0/24:e.f.g.h:i.j.0.0/24
MAIN_TLS_ADVERTISE_HOSTS = MAIN_RELAY_NETS

daemon_smtp_ports = smtp : 587


### Appended to the end of the acl_check_mail acl (just before the final
accept statement which I commented out):

## Case of unencrypted (non-TLS) relay:
   deny
        !encrypted = *
# The following statement matched for relay but NOT regular receipt
        condition = ${if eq{${uc:${substr_0_12:$smtp_command}}}{MAIL FROM:
<}{yes}{no}}



## Case of unencrypted (non-TLS) receipt:
   accept
        !encrypted = *
# The following statement did NOT match for relay but DID match for regular
receipt
        condition = ${if eq{${uc:${substr_0_11:$smtp_command}}}{MAIL
FROM:<}{yes}{no}}
        !condition = ${if
eq{${uc:${substr_0_5:$received_protocol}}}{SMTPS}{yes}{no}}
# Not sure if good idea to limit acceptance to only ESMTP. Note that
negating SMTPS is necessary either way. Will apply this limit for now and
see if any issues arise.
        condition = ${if =={${strlen:$received_protocol}}{5}{yes}{no}}
        condition = ${if
eq{${uc:${substr_0_5:$received_protocol}}}{ESMTP}{yes}{no}}
        !condition = ${if eq{$interface_port}{587}}



## Case unencrypted (TLS):
   accept
        encrypted = *
        hosts       = : +relay_from_hosts
        condition = ${if =={${strlen:$received_protocol}}{5}{yes}{no}}
        condition = ${if
eq{${uc:${substr_0_5:$received_protocol}}}{SMTPS}{yes}{no}}
        condition = ${if eq{$interface_port}{587}}


## Disable the acceptance of all other cases
# Comment out the last accept in this acl (acl_check_mail)
#accept

#### Then separately run the following 3 commands: 1) /etc/init.d/exim4 stop
2) update-exim4.conf 3) /etc/init.d/exim4 start

Hope this helps other folks trying to do similar security settings on
outbound email relay with Exim 4 on Ubuntu.
If anyone has insight into the 2 questions at the top of this email, that
would be great. Thanks.

Regards,
Jeff

-----Original Message-----
From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
Behalf Of W B Hacker
Sent: Saturday, November 08, 2008 5:08 PM
To: exim users
Subject: Re: [exim] Exim Restrict outgoing relay by ip address

jwexler@??? wrote:
> I am moving our email server from MS Exchange to Exim on Ubuntu 8.04.1.
> Version of Exim is 4.68.
>
> As one of our security layers, we restrict authorization to send/relay

email
> via our mail server from approved IP networks only. Whether this is a
> perfect method or not is irrelevant as it is but one of our security

layers
> and we do not need to allow relaying from the world.
>
> I need to be able to restrict the sending of outgoing email via our

servers
> by IP but need to allow the receipt and delivery of inbound email from any
> IP.
>
> I have spent over 2 weeks scouring the web, reading through the Exim specs
> and doc and other resources and have tried many many ways to achieve this
> goal but to no success yet and am becoming very desperate. I will need to
> give up on Exim if I cannot achieve this and have already invested a huge
> amount of time into this.
>
> In summary:
>
> * Restrict ability to relay outgoing email from our servers by IP (Normal
> encrypted TLS username/password also required of course)
>
> * Allow inbound delivery of email from any IP
>
> Does anyone know whether this can be done and if so how?
>
> I would truly appreciate any help on this.
>
> Regards,
>
> Jeff
>


Jeff,

The reason you aren't finding what you seek may be that Exim ordinarily
uses two separate, but more specific means of restriction. Both are
referenced in the largely self-documenting default configure file:

- For servers or 'pools' of servers:

Simply use the;

hostlist relay_from_hosts =

to authorize those in your 'community' and no others.

Further ...

- For individuals:

Require authentication to send from desktops or laptops, ordinarily via
enforcing TLS connection to port 587 (and no other) with a UID and PWD
Exim considers 'valid'.

The valid user list or DB may be local and/or fully or partially sourced
from any or any mixture of, several places, including LDAP off an MS PDC
or Exchange server if reducing duplication of admin is of interest.
Supported formats range from flat files to heavy-lifter SQL DB's and
everything in between.

Advantage: Your 'roaming' users need not change their MUA settings when
traveling. Unlike port 25, port 587 is rarely blocked to end-users.


As to limiting to source IP in general - Exim can do that, AND by
subsets that consider which incoming local IP, port, and even protocol
used are to match what distant IP(s) as well.

Search for things of this sort:

server_advertise_condition

${if eq{$tls_cipher}

accept condition

${if eq{${uc:$smtp_command_argument}}{CRAM-MD5}

condition = ${if eq{$interface_port}{587}}

!condition = ${if eq{$received_protocol}{smpts}}

hosts       = : +relay_from_hosts


condition = ${lookup{$sender_host_address}lsearch .....

(part of an IP whitelist call here...)


Exim can also enforce a requirement for matching PEM certs instead of,
or in addition to, login UID:PWD.

You dont need to 'give up' on Exim.

You may need to look beyond the Debian-based Ubuntu Exim environment,
and find what you need - and much more - in the 'standard' configurations.

Then either use those, ('standard' Exim instead of the specialized
configurators). Or sort how to apply what you find to the environment
you have chosen.

Not only is all you need 'there' - most of us have been uing it for
years, so it is a surprise you haven't already run across what you seek.

HTH,

Bill



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/