Re: [exim] Allow mail sending only from certain IP's

Startseite
Nachricht löschen
Nachricht beantworten
Autor: basti
Datum:  
To: exim-users
Betreff: Re: [exim] Allow mail sending only from certain IP's
Good morning Heiko,

Someone hacked my Mail server. In the exim logfile are many lines like

2014-05-29 10:51:58 1Wpw46-00056z-67 <= vabih@???
H=(atozcwqyxdmh) [178.120.55.35] P=esmtpa
A=fixed_login:mailaddress@??? S=377
2014-05-29 10:51:59 1Wpw46-00056z-67 => bclar@??? R=dnslookup
T=remote_smtp H=mx2.optonline.net [167.206.4.79]
2014-05-29 10:51:59 1Wpw46-00056z-67 Completed
2014-05-29 10:52:17 1Wpw4O-00057H-S4 <= bu@???
H=node-204-239-139-95.domolink.tula.net (xvwgfmt) [95.139.239.204]
P=esmtpa A=fixed_login:mailaddress@??? S=397
2014-05-29 10:52:18 1Wpw4O-00057H-S4 => an_other_address@???
R=dnslookup T=remote_smtp H=mx-ha02.web.de [213.165.67.120]
X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256 DN="C=DE,O=1&1 Mail & Media
GmbH,ST=Rhineland-Palatinate,L=Montabaur,CN=mx-ha02.web.de"
2014-05-29 10:52:18 1Wpw4O-00057H-S4 Completed
2014-05-29 10:52:25 1Wpw4W-00057g-DA <= hupem@???
H=node-79-228-28-94.domolink.tula.net (hkueycr) [94.28.228.79] P=esmtpa
A=fixed_login:mailaddress@??? S=421
2014-05-29 10:52:25 no IP address found for host
5-43-134-194.k-telecom.org (during SMTP connection from [5.43.134.194])
2014-05-29 10:52:28 1Wpw4W-00057g-DA =>
also_an_other_address@??? R=dnslookup T=remote_smtp
H=al-ip4-mx-vip2.prodigy.net [144.160.235.144]
2014-05-29 10:52:28 1Wpw4W-00057g-DA Completed

I have only changed the password of the hacked account.
There are only 2 PC's where this mail address is received I have checked
this with "Kaspersky Rescue Disk" but nothing was found.

For privacy the mail address and the domain are anonymised to
mailaddress@???.

Your idea to use the authenticator is good but the mail server is used
for multiple domains and I just want to restrict this one which was hacked.
Can I check the domain in the authenticator with a "if-else" like loop?

if (domain == example.com) then
{
 plain:
            driver = ..
            server_condition = ${if and{\
                {def:tls_cipher}\


{match_ip{$sender_host_address}{iplsearch;/etc/exim4/hosts-auth-ok}}}}
}
else
{
 plain:
            driver = ..
            server_condition = ${if and{\
                {def:tls_cipher}\
                ...


}


An other idea is to check the sender:

vabih@???
bu@???
hupem@???

does not exist on my mailserver.

Best regards,
Basti

Am 02.06.2014 20:57, schrieb Heiko Schlittermann:
> Hello,
>
> basti <mailinglist@???> (Mo 02 Jun 2014 09:36:57 CEST):
>> Hello,
>> last week someone get the password of some mail addressees administered
>> by a exim4 server.
>
> Does this mean:
>     Last week somebody got a username/password for an account at your Exim
>     server.
> ?

>
>> First of all I have changes the passwords of the mail addressees.
>
> Now you've changed the passwords of all mail accounts?
>
>> Is it possible to allow connections for this mail addresses only from
>> certain IP's?
>
> Probably want to restrict the logins to a list of certain IPs?
> It should be sufficient to restrict the authentication offer to
> a list of IPs.
>
>
>     begin authenticators

>
>     # NOT TESTED!

>
>         plain:
>             driver = ..
>             server_condition = ${if and{\
>                 {def:tls_cipher}\
>                 {match_ip{$sender_host_address}{iplsearch;/etc/exim4/hosts-auth-ok}}}}

>
>
>     Best regards from Dresden/Germany
>     Viele Grüße aus Dresden
>     Heiko Schlittermann

>
>
>