Re: [exim] how to secure alias-overtakings by other mailacco…

Top Page
Delete this message
Reply to this message
Author: Chris Wilson
Date:  
To: Chris Knadle
CC: exim-users
Subject: Re: [exim] how to secure alias-overtakings by other mailaccounts
Hi all,

On Mon, 18 Feb 2013, Chris Knadle wrote:

> On Sunday, February 17, 2013 15:46:19, Deep Thought wrote:
>> Dear Sir or Madam,
>>
>> I am using Exim on my server and realized that any user can overtake a
>> mail address created by an user account. So it seems that for example, I
>> can just enter an Alias or even change my sender mailaddress for example
>> in Thunderbird to any mail addresses created by the account.

[...]
>> How can I secure it? Is there any setting to change this behaviour? That
>> the owner of the mail address has to agree on using its mail address as
>> an alias or sender mail address from another account?
>
> To do this (theoretically) you'd have to give Exim some way to /reliably/
> iditify the user sending an email, independent of what the outbound email
> address is, and then "validate" an outbound email address with the user in an
> ACL rule.
>
> I don't know how various machines and/or mail clients respond to identd
> queries, but in _theory_ identd (RFC 1413) was meant to help identify the
> remote user in some way for abuse situations. However some implmentations
> (like slidentd) give back "secured" information, where it gives out fake
> numbers but locally logs the answer it gave vs what the real information is,
> so I don't think it would be sane to rely on identd for this purpose.


I'd say that user authentication (requiring auth to send mail "from" your
domain) and a lookup list of allowed email addresses for each account
would "secure" it. Note that it doesn't prevent anyone on the rest of the
Internet from forging your email addresses. There is currently no way
to prevent that because email is not secure. (DKIM helps, but not many
recipients require valid DKIM headers, so it's possible to fool almost all
recipient anyway).

But if you really want to do it, something like this (completely from
memory and untested) might work:

acl_check_data: ...

deny    set acl_m_sender_address = ${address:$h_from}
     set acl_m_sender_domain = ${domain:$h_from}
     condition = ${if match_domain
         {$acl_m_sender_domain}{$local_domains}}
     message = Only authenticated users can send mail from our domain
     ! authenticated = *


deny    set acl_m_allowed_addrs = ${lookup {$authenticated_id}
         lsearch {/etc/exim/user_allowed_addresses}}
     message = $authenticated_id is not allowed to call themselves \
         $acl_m_sender_address
     condition = ${if !match_address
         {$acl_m_sender_address}{$acl_m_allowed_addrs}}


And then put allowed addresses in /etc/exim/user_allowed_addresses:

     john:    john@???, johnsmith@???
     sue:    sue@???, susan@???


Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig@???> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |