Re: [exim] Exim Restrict outgoing relay by ip address

Góra strony
Delete this message
Reply to this message
Autor: Ian Eiloart
Data:  
Dla: jwexler, 'exim users'
Temat: Re: [exim] Exim Restrict outgoing relay by ip address


--On 11 November 2008 11:16:08 +0900 jwexler@??? wrote:

> Bill (W.B. Hacker) - Thank you immensely. Over the last 3 days, I have
> been working on this based on the direction that you provided and appear
> to finally have finally achieved our primary security objectives
> (outlined in my initial post).
>
> It seems that the $smtp_command in the case of email for non-TLS relaying


TLS and relaying are completely orthogonal concepts. TLS is used to encrypt
a connection. It can (probably should) be used by all incoming connections
from your user clients, with authentication. Perhaps not from servers that
you control on your IP range, though.

TLS can also be used on outbound connections. It reduces (but doesn't
eliminate) the opportunity of third parties to read your email, but you are
entirely dependent on the receiving server supporting encryption.

> is of the form MAIL FROM: <> (where there is a space between the colon
> and the first "<". The address being between <>.)
> Regular inbound email that is not for relay appears to be of the form MAIL
> FROM:<> where there is no space between the colon and the first "<".
> Thus, I distinguished between the two by checking for a match on these two
> strings (i.e., whether a space exists or not).
>
> Question 1: Does anyone know if this is always the case (i.e., that a
> space is present for receipt of outbound relay email but not present for
> inbound regular email for local delivery)? I am hoping that the
> difference of a space is always the case so that they can be
> distinguished in this way.


No. It's entirely dependent on the nature of the client. Read
<http://www.apps.ietf.org/rfc/rfc2821.html> for a full understanding of
SMTP, but note that any client that gives you a space there is not strictly
conformant. Unfortunately, that's not unusual.

> Question 2: Is $received_protocol always ESMTP for inbound email that is
> for local delivery and SMTPS for outgoing encrypted TLS relay email?


NO. SMTP means what you think it means. The "E" prefix means it's using
Extended SMTP. Almost everything will nowadays, so it's a surprise that
you've found something else. The "S" suffix means "secure", and requires
both ends of the connection to support it. You're less likely to get an "S"
on outbound mail, and can only get it when the receiving server supports
it. Also, look for "A" for Authentication. Ideally all your local email
clients will use A with S, and probably E: ESMTPSA.

> By the way, in past weeks, I had also tried to restrict authorizations via
> the auth_advertise_hosts variable (and other methods) as well but had not
> been able to get it working that way. I also had not gotten any results
> when I tried to use acl_smtp_auth and subsequently acl_smtp_mailauth. I
> wonder if it is because there was a final "accept" in the acl_check_mail
> acl or if it is because I am using Ubuntu.
>
> The following is the solution that worked for us:
>
>#### Setting additions for /etc/exim4.conf.template of Ubuntu.
>
>### MAIN CONFIGURATION SETTINGS section:
>
> MAIN_TLS_ENABLE = yes
>
># Note that there is a standard setting later in the script that will check
> whether MAIN_RELAY_NETS is defined and if so will set relay_from_hosts =
> MAIN_RELAY_NETS
># The following are some examples of IP address forms. Separate with a
> colon. The one that ends in .0/24 and .0.0/24 allow for matching multiple
> IPs.
> MAIN_RELAY_NETS = a.b.c.0/24:e.f.g.h:i.j.0.0/24
> MAIN_TLS_ADVERTISE_HOSTS = MAIN_RELAY_NETS
>
> daemon_smtp_ports = smtp : 587
>
>
>### Appended to the end of the acl_check_mail acl (just before the final
> accept statement which I commented out):
>
>## Case of unencrypted (non-TLS) relay:
>    deny
>         !encrypted = *
># The following statement matched for relay but NOT regular receipt
>         condition = ${if eq{${uc:${substr_0_12:$smtp_command}}}{MAIL FROM:
> <}{yes}{no}}

>
>
>## Case of unencrypted (non-TLS) receipt:
>    accept
>         !encrypted = *
># The following statement did NOT match for relay but DID match for regular
> receipt
>         condition = ${if eq{${uc:${substr_0_11:$smtp_command}}}{MAIL
> FROM:<}{yes}{no}}
>         !condition = ${if
> eq{${uc:${substr_0_5:$received_protocol}}}{SMTPS}{yes}{no}}
># Not sure if good idea to limit acceptance to only ESMTP. Note that
> negating SMTPS is necessary either way. Will apply this limit for now and
> see if any issues arise.
>         condition = ${if =={${strlen:$received_protocol}}{5}{yes}{no}}
>         condition = ${if
> eq{${uc:${substr_0_5:$received_protocol}}}{ESMTP}{yes}{no}}
>         !condition = ${if eq{$interface_port}{587}}

>
>
>## Case unencrypted (TLS):
>    accept
>         encrypted = *
>         hosts       = : +relay_from_hosts
>         condition = ${if =={${strlen:$received_protocol}}{5}{yes}{no}}
>         condition = ${if
> eq{${uc:${substr_0_5:$received_protocol}}}{SMTPS}{yes}{no}}
>         condition = ${if eq{$interface_port}{587}}

>
>## Disable the acceptance of all other cases
># Comment out the last accept in this acl (acl_check_mail)
> #accept
>
>#### Then separately run the following 3 commands: 1) /etc/init.d/exim4
>#### stop
> 2) update-exim4.conf 3) /etc/init.d/exim4 start
>
> Hope this helps other folks trying to do similar security settings on
> outbound email relay with Exim 4 on Ubuntu.
> If anyone has insight into the 2 questions at the top of this email, that
> would be great. Thanks.
>
> Regards,
> Jeff
>
> -----Original Message-----
> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
> Behalf Of W B Hacker
> Sent: Saturday, November 08, 2008 5:08 PM
> To: exim users
> Subject: Re: [exim] Exim Restrict outgoing relay by ip address
>
> jwexler@??? wrote:
>> I am moving our email server from MS Exchange to Exim on Ubuntu 8.04.1.
>> Version of Exim is 4.68.
>>
>> As one of our security layers, we restrict authorization to send/relay
> email
>> via our mail server from approved IP networks only. Whether this is a
>> perfect method or not is irrelevant as it is but one of our security
> layers
>> and we do not need to allow relaying from the world.
>>
>> I need to be able to restrict the sending of outgoing email via our
> servers
>> by IP but need to allow the receipt and delivery of inbound email from
>> any IP.
>>
>> I have spent over 2 weeks scouring the web, reading through the Exim
>> specs and doc and other resources and have tried many many ways to
>> achieve this goal but to no success yet and am becoming very desperate.
>> I will need to give up on Exim if I cannot achieve this and have already
>> invested a huge amount of time into this.
>>
>> In summary:
>>
>> * Restrict ability to relay outgoing email from our servers by IP (Normal
>> encrypted TLS username/password also required of course)
>>
>> * Allow inbound delivery of email from any IP
>>
>> Does anyone know whether this can be done and if so how?
>>
>> I would truly appreciate any help on this.
>>
>> Regards,
>>
>> Jeff
>>
>
> Jeff,
>
> The reason you aren't finding what you seek may be that Exim ordinarily
> uses two separate, but more specific means of restriction. Both are
> referenced in the largely self-documenting default configure file:
>
> - For servers or 'pools' of servers:
>
> Simply use the;
>
> hostlist relay_from_hosts =
>
> to authorize those in your 'community' and no others.
>
> Further ...
>
> - For individuals:
>
> Require authentication to send from desktops or laptops, ordinarily via
> enforcing TLS connection to port 587 (and no other) with a UID and PWD
> Exim considers 'valid'.
>
> The valid user list or DB may be local and/or fully or partially sourced
> from any or any mixture of, several places, including LDAP off an MS PDC
> or Exchange server if reducing duplication of admin is of interest.
> Supported formats range from flat files to heavy-lifter SQL DB's and
> everything in between.
>
> Advantage: Your 'roaming' users need not change their MUA settings when
> traveling. Unlike port 25, port 587 is rarely blocked to end-users.
>
>
> As to limiting to source IP in general - Exim can do that, AND by
> subsets that consider which incoming local IP, port, and even protocol
> used are to match what distant IP(s) as well.
>
> Search for things of this sort:
>
> server_advertise_condition
>
> ${if eq{$tls_cipher}
>
> accept condition
>
> ${if eq{${uc:$smtp_command_argument}}{CRAM-MD5}
>
> condition = ${if eq{$interface_port}{587}}
>
> !condition = ${if eq{$received_protocol}{smpts}}
>
> hosts       = : +relay_from_hosts

>
> condition = ${lookup{$sender_host_address}lsearch .....
>
> (part of an IP whitelist call here...)
>
>
> Exim can also enforce a requirement for matching PEM certs instead of,
> or in addition to, login UID:PWD.
>
> You dont need to 'give up' on Exim.
>
> You may need to look beyond the Debian-based Ubuntu Exim environment,
> and find what you need - and much more - in the 'standard' configurations.
>
> Then either use those, ('standard' Exim instead of the specialized
> configurators). Or sort how to apply what you find to the environment
> you have chosen.
>
> Not only is all you need 'there' - most of us have been uing it for
> years, so it is a surprise you haven't already run across what you seek.
>
> HTH,
>
> Bill
>
>
>
> --
>## List details at http://lists.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/




--
Ian Eiloart
IT Services, University of Sussex
x3148