[exim] Cannot fix open relay

Top Page
Delete this message
Reply to this message
Author: Paolo Crosato
Date:  
To: exim-users
Subject: [exim] Cannot fix open relay
Hi, I'm trying to troubleshoot an email server running exim 4.22. I
cannot upgrade the MTA or install packages on the machine. The issue I'm
trying to resolve is that the smtp server is considered an open relay
from spamlists and thus it's getting banned.
I've been working on the ACL configuration without success, basicly I
need all local users to be able to send out mails, and only
authenticated users should be able to send mail form outer domains.
Here is the acl_check_rcpt part, I know it's really messy. I've been
trying to patch it following suggestions all over the net, without
success. Can anyone help me spotting where the error is?
I suspect there is a lot of redundancy here.
Also is there a way to show the values that the variables like
local_domains have?

Thanks in advance for any suggestion.

acl_check_rcpt:
accept hosts = :

   deny message = Restricted characters in address
     domains = +local_domains
     local_parts = ^[.] : ^.*[@%!/|]


   deny message = Restricted characters in address
     domains = !+local_domains
     local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


   accept local_parts = postmaster
     domains = +local_domains


require verify = sender

accept hosts = +relay_from_hosts

accept authenticated = *

   require message = relay not permitted
     domains = +local_domains : +relay_domains


require verify = recipient

   drop  message = REJECTED - ${sender_host_address} is blacklisted at 
$dnslist_domain ($dnslist_value); ${dnslist_text}
         dnslists = 
sbl-xbl.spamhaus.org/<;$sender_host_address;$sender_address_domain


   drop  message = REJECTED - ${sender_address_domain} is blacklisted at 
${dnslist_domain}; ${dnslist_text}
         dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain


   drop  message = REJECTED - ${sender_host_address} is blacklisted at 
${dnslist_domain}; ${dnslist_text}
         dnslists = bl.spamcop.net : cbl.abuseat.org : list.dsbl.org


   deny message = Feel dizzy, spammer?
        hosts = !+relay_from_hosts
        !authenticated = *
        log_message = blatantly bogus HELO
        !acl = acl_whitelist_local_deny
        condition = ${if or {\
                              {match 
{$sender_helo_name}{^(.*\\\.)?(PUBLIC_DOMAIN\\\.com|ubi\\\.intra|PUBLIC_DOMAIN\\\.it)\$}}\
                              {match 
{$sender_helo_name}{^\\\d+\\\.\\\d+\\\.\\\d+\\\.\\\d+\$}}\
                              {eq {$sender_helo_name}{PRIVATE_IP}}\
                         } {1}{0}}


   deny message = Direct-to-MX transfers are deprecated, especially on 
bogus hosts.
        hosts = !+relay_from_hosts
        log_message = unqualified HELO
        !authenticated = *
        !acl = acl_whitelist_local_deny
        condition = ${if match {$sender_helo_name}{\\\.} {0}{1}}


   deny message = Bhahwhahaha!!!
        hosts = !+relay_from_hosts
        log_message = External mail for root not allowed.
        local_parts = root
        condition = ${if eq {$received_protocol}{local} {0}{1}}


   # Use WCM to defer messages that are coming from outside networks
   defer hosts = !+relay_from_hosts
         !authenticated = *
         !acl = acl_whitelist_local_deny
         verify = recipient
         log_message = WCM caused defer
         condition = ${run {/usr/lib/exim4/wcm /var/lib/exim4/wcm.btree 
$sender_host_address $sender_helo_name $sender_address $rcpt_count}{1}{0}}


   discard hosts = +relay_from_hosts
           condition = ${if eq {$received_protocol}{local} {0}{1}}
           senders = :


   # Do not accept remote drops for local emails
   deny message = Sorry, this email address is configured for internal 
use only.
        hosts = !+relay_from_hosts
        !acl = acl_whitelist_local_deny
        !authenticated = *
        verify = recipient
        local_parts = /etc/localonly


   accept domains = +local_domains
          endpass
          message = unknown user
          verify = recipient


   # try to verify the original sender before relaying anyway
   deny log_message = Sender verification failed.
        sender_domains = *.intra
        !acl = acl_whitelist_local_deny


   accept domains = +relay_to_domains
          endpass
          message = unrouteable address
          verify = recipient


   deny domains = !+local_domains
          message = Relaying denied


deny message = relay not permitted


--

Paolo Crosato
Ubiest SPA
http://www.ubiest.com