Re: [exim] authentication / relay

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] authentication / relay
Seth Dillingham wrote:
> On Thu, Apr 28, 2011 at 2:24 PM, Dave Evans<exim-users-20081202@???
>> wrote:
>
>> Please read http://wiki.exim.org/DontObfuscate then re-post with more
>> details
>> - I suspect that the key information is in your logs, but you've edited it
>> away when posting, which makes it hard for us to help you.
>>
>
> Here's the same as my first try, but de-obfuscated. My apologies!
>
> I'm running exim 4.72 to service a small number of users (less than 50) and
> to relay mail from a few groupware apps running on one particular machine (
> samson.free-conversant.com).
>
> Samson sends email 'from' quite a few different addresses. It can have any
> number of group projects, and each group project has a name, and the names
> become part of a cluster of associated email accounts, such as "
> project1-site@???" and "project1-calendar@???" and "
> project1-subscribe@???".
>
> I have samson's FQDN, ip address, and the verizon-generated FQDN for the
> public ip address (see below) all added to my relay-from-hosts file, which
> then looks something like this:


Cutting to the chase:

sampson *cannot* respond in the manner Exim expects so see from a
'sender verify'.

A) sampson MAY not even be reachable *at all* on the callback.
You did say Verizon...

;-)

B) sampson (probably) isn't even a full-fledged MTA, so cannot respond
even to a non-specifc sender-verify.

C) even sampson is both an MTA AND reachable, it almost certainly
doesn't have *specific* 'accounts' that could claimn receive mail to the
<generated> addresses that must be an exact match to the more
user-specific 'sender' Exim can attempt to verify. That can be faked -
bots do it all the time. But ask yourself how useful the ender-verify is
then?

sender-verify's best use IS between/among members of a collaborative
mob, wherein all hands have agreed to respond appropriately AND NOT
blacklist each other for it as abuse. Your situation fits that at first
glance.

But a key-player - 'sampson' - is UNABLE to play by the expected rules.
And - you probably already have 'good enough' source control loking at
the source IP.

CAVEAT: Any web-app warrants close watching and beefed up filtering.
ClamAV for sure. SA maybe. Ratelimit if need be.

Meanwhile:

Either exempt sampson from sender verify attempts, OR 'fix' sampson so
it CAN respond as expected.

Test and confirm first by turning sender-verify OFF altogether, as that
is fastest and simplest.

It may not be your only barrier, so keep an eye out for what else pops up.

Then go back with longer-term fix(es).

HTH,

Bill Hacker




>
> 74.103.212.3
> static-74-103-212-3.prvdri.fios.verizon.net
> samson.free-conversant.com
>
> The problem I'm having is that mail from samson is being rejected with
> verification errors. I thought I had exim configured to relay from samson
> correctly, but I've obviously done something wrong.
>
> I'm a n00b. Not going to pretend I know what's wrong. Here's an example
> rejection, from my mainlog:
>
> 2011-04-25 11:55:27 H=static-74-103-212-3.prvdri.fios.verizon.net (
> samson.free-conversant.com) [74.103.212.3] sender verify fail for<
> officesite.officeinsight-confirm@???>: Unknown user
>
> 2011-04-25 11:55:27 H=static-74-103-212-3.prvdri.fios.verizon.net (
> samson.free-conversant.com) [74.103.212.3] F=<
> officesite.officeinsight-confirm@???> rejected RCPT<
> primages@???>: Sender verify failed
>
> My exim.cf has this:
>
> Under the Main Configuration Settings:
>
> hostlist relay_from_hosts = lsearch;/etc/exim/relay-from-hosts
>
>
> my acl_check_rcpt contains (among lots of other things):
>
> acl_check_rcpt:
>
>    accept  hosts = :
>            control = dkim_disable_verify

>
>    deny    message       = Restricted characters in address
>            domains       = +local_domains
>            local_parts   = ^[.] : ^.*[@%!/|]

>
>    deny    message       = Restricted characters in address
>            domains       = !+local_domains
>            local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

>
>    deny    condition     = ${if eq {$sender_address_local_part}{postmaster} \
>                            {true}{false}}
>            sender_domains = +local_domains

>
>    deny    condition     = ${if eq {$sender_address_local_part}{nobody} \
>                            {true}{false}}
>            sender_domains = +local_domains

>
>    accept  local_parts   = postmaster
>            domains       = +local_domains

>
>    require verify        = sender

>
>    accept  hosts         = +relay_from_hosts
>            control       = submission
>            control       = dkim_disable_verify

>
>    accept  authenticated = *
>            control       = submission/sender_retain
>            control       = dkim_disable_verify
>            add_header    = X-Authenticated-Sender: ${sender_address}

>
>    require message = relay not permitted
>            domains = +local_domains : +relay_to_domains

>
>    require verify = recipient

>
>    accept

>
> (Sorry if this is hard to follow.)
>
> Can anyone help me figure this out?
>
> Seth