Re: [exim] How to limit to authenticate user to send mails p…

Top Page
Delete this message
Reply to this message
Author: Michael Deutschmann
Date:  
To: exim-users
Subject: Re: [exim] How to limit to authenticate user to send mails per Hour
On Tue, 17 Sep 2013, Lena@??? wrote:
> > From: Michael Deutschmann
>
> > Despite the reference to "per Hour" in the subject, I think what he's
> > asking for is not rate limiting, but making sure that all relayed mail is
> > sent "from" the mailbox assigned to the user who owns the credentials.
>
> Some honest users need to send mail with "From:" and envelope-from
> different from $authenticated_id . For example, *-owner @ yahoogroups.com,
> @ ieee.org - they don't offer outgoing relay, only incoming forwarder.


Supporting that is problematic. If the user specifies a forged envelope
sender and the recipient refuses it in-transaction, you will backscatter
at that envelope domain. To avoid this, it would be quite reasonable to
lock down the MAIL FROM by default, and only add narrow exceptions on
explicit request.

However, if it's really essential to avoid the support calls, there are
two minimal steps you can take:

First, when they are using the "correct" domain, you have nothing to lose
by forcing them to use the correct local part.

If it is an outside domain, you could run an SPF check against your
smarthost's own outgoing IP and the requested MAIL FROM:. If the result
is softfail or fail, then it's safe to assume that domain does not approve
of such use. You can't do this with the "spf =" ACL command, but it
looks like it can be done in Exim with the spf lookup (which doesn't seem
to be documented anywhere...).

---- Michael Deutschmann <michael@???>