Re: [exim] how could i authenticate local users ?

Góra strony
Delete this message
Reply to this message
Autor: Dominic Benson
Data:  
Dla: exim-users
Temat: Re: [exim] how could i authenticate local users ?
On 14/09/11 02:26, freeman wrote:
> Hey,Todd,Thanks for your reply. you said "
> There is no need to require smtp authentication for a local user that is
> sending if the recipient is also a local user. "
>
> but now the mail server suffered from spams. because the spammer know some of the senders and recipients ( local users could send mails
> each other),
> so he could easily send emails from the known local user to the another . although the mail server is not spammed as
> open relay ,but the spammer sometimes disrupts it. so how i could authenticate local users without rejecting the outsider? thanks very much.
>
>

The problem is not that local users don't need to authenticate to send
to other local users (no user does), rather that you aren't validating
the sender in any way.

There are a few things that you can do, each with upsides and downsides,
but the essence is this:

- you need your

accept domains      = +my_domains


to come after

accept authenticated = *

and some sort of deny/require condition

One of the things you could have is an SPF check (providing you publish
SPF for your hosted domains) - see http://wiki.exim.org/SPF
The key issue with it is that forwarding of mail can get broken. If that
isn't a problem, or you can live with the consequences, it is a simple
solution to this problem. You could further restrict the check to
senders claiming to be local users.

Another candidate would be DNSBLs - see
http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTmorednslists
This setup is a tradeoff between FPs and FNs, there are only a few that
are really safe to use as straight blockers.

DKIM could help you, if you always sign outbound and require it on mail
from your domains, but the signature is too easily broken by things like
mailing lists for it to be, in my opinion, a better plan than the above.


You might want to consider setting up Spamassassin to combine a variety
of these approaches. It is capable of being less of a blunt instrument.