Re: [exim] open relay aftermath

Quoting Moritz Wilhelmy (from 14/02/11 11:03):
>> Not a good idea to change Exim like that.
> Actually, I believe it doesn't require to "change" the exim code for that. You
> just need to append to a file, which I believe, exim already supports. Exim

Yes, it's called logging, and Exim already does this.

> already knows where the relay attempt came from, and tcp_wrappers support
> include-directives (according to hosts_access(5), it can include files), so
> including a /var/run/exim/hosts.deny from within the global config would be
> possible as well, if you don't want to give exim write permissions on the
> global tcp_wrapper configuration file(s).

You don't want to give Exim or any other system daemon file access
permissions to anything beyond the strict minimum required to do its job.

> Any objections?

Loads :-) Linux is not the only platform, tcp_wrappers is not the only
host firewall, many networks have edge defences a long way away from
their accessible hosts. Standard logging is sufficient. And making
host-level security decisions isn't the job of an MTA.

> Can't tell anything about fail2ban, but why run another daemon if exim is
> sufficient? Especially denyhosts (which I run) is very resource hungry in my
> experience.

There's no need for logging and log analysis to be running on the same
host as your MTA, if you have resource issues.

I just think you're overcomplicating things. Exim is an MTA, it already
logs all the data you need to make firewall changes, there's no point in
asking it to do something distro/task-specific.

-jim