Re: [exim] SMTP Abused

Top Page
Delete this message
Reply to this message
Author: Muhammad Irfan
Date:  
To: exim users
Subject: Re: [exim] SMTP Abused
Well, my objective no one from outside world can connect to our mail server
and sends bulk emails by using our domain email address. e.g.
abc@??? in case if this account is compromised.

I have couple of more idea's to prevent SMTP abused. Please suggest.

1) I thought i can configure max no. mails per hour. and change ACL to
count no. of messages in emails at SMTP time and declare threshold. If no.
of emails count at SMTP greater than let say 100 than discard email and
consider it as spam.

2) Is that possible to configure two separate SMTP in exim on different
port ? SMTP1 will listen on port 25 and will entertain internal users and
SMTP2 on port 587 which will serve to outside world. And configure router
in exim as internal domain users (@example.com) connects to SMTP1 and
others will connect to SMTP2. Finally block SMTP1 port in firewall to
connect from outside world. So no one can connect to SMTP1 except internal
network.

On Wed, Jun 6, 2012 at 10:48 AM, Muhammad Irfan <mirfan1981@???>wrote:

> Well, my objective no one from outside world can connect to our mail
> server and sends bulk emails by using our domain email address. e.g.
> abc@??? in case if this account is compromised.
>
> I have couple of more idea's to prevent SMTP abused. Please suggest.
>
> 1) I thought i can configure max no. mails per hour. and change ACL to
> count no. of messages in emails at SMTP time and declare threshold. If no.
> of emails count at SMTP greater than let say 100 than discard email and
> consider it as spam.
>
> 2) Is that possible to configure two separate SMTP in exim on different
> port ? SMTP1 will listen on port 25 and will entertain internal users and
> SMTP2 on port 587 which will serve to outside world. And configure router
> in exim as internal domain users (@example.com) connects to SMTP1 and
> others will connect to SMTP2. Finally block SMTP1 port in firewall to
> connect from outside world. So no one can connect to SMTP1 except internal
> network.
>
>
>
>
> On Wed, Jun 6, 2012 at 3:57 AM, W B Hacker <wbh@???> wrote:
>
>> Muhammad Irfan wrote:
>>
>>> I had situation in past when one of my domain POP3/SMTP user/pass
>>> compromised.
>>> And someone connect to our server (SMTP) with that user account to send
>>> bulk of emails.
>>> I need to eliminate this sort of spam mechanism like in case if account
>>> compromised no one can send emails to others by using that user email
>>> address.
>>> I have quite some users on my domain which acts as POP3 and SMTP also. I
>>> can't block SMTP port on server because it's block outside world also to
>>> send emails to us.
>>> I thought another idea, to use openrelay like i need to add another
>>> server
>>> configured as open relay and on primary mail server i need to configure
>>> manualrouter e.g. if emails send from @example.com than relay to
>>> another.host.com which is finally responsible to send emails from that
>>> server and another.host.com i.e. on relay server i will allow only local
>>> users @example.com ip addresses only to connect via firewall.
>>>
>>> So, outside world can send from primary mail server and within domain
>>> user
>>> can send emails from relay server.
>>> Please let me know if this approach is handy or is there any other better
>>> way of doing this.
>>>
>>
>> ?? If you are doing it the 'usual' way, user-community submission are all
>> coming in over port 587, AUTH is being insisted on, over TLS, AND NOT being
>> allowed to drop to insecure, but rDSN is NOT required (broadband pools fail
>> it).
>>
>> Port 25 is for 'outside world' DOES do an rDNS check, wants TLS, but may
>> or may not insist on it, does NOT offer 'auth'.
>>
>> End-users should not be allowed to auth or submit on port 25. WTH - if
>> their bandwidth-provider has his head on straight, they can't even *reach*
>> it.
>>
>> Put any of your own relays into port 24 - that's its job - and use
>> port-specific conditionals for that as need be.
>>
>> Now all you have to do is change the password after a suspected
>> compromise, and the account identity remains usable.
>>
>> No need for multiple servers. Exim' can alter behaviour based on IP
>> and/or port.
>>
>> But even if you DO find a need, look at running two instances of Exim
>> with different configurations on the same box. Needs two or more 'listern'
>> IP, IF they are even both 'listening'. One might not be.
>>
>> Side issue, but smtp, POP, IMAP CAN all have totally unrelated login
>> UID:PWD, and none of them actually have to include the email address in the
>> UID part, nor even in the mailstore structure.
>>
>> Between a mere 'alias' and full-scale DB, that can be as simple, or as
>> complicated as you have time to make it. Exim JF does as it is told and
>> motors on..
>>
>> Bill
>>
>> --
>> 韓家標
>>
>>
>> --
>> ## List details at https://lists.exim.org/**mailman/listinfo/exim-users<https://lists.exim.org/mailman/listinfo/exim-users>
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>
>