[exim] alias forwarding issue...

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: John Doe
Date:  
To: exim-users@exim.org
Subject: [exim] alias forwarding issue...

Hi,

I received the following shellshock attempt on exim 4.72 (RedHat 6): 

----------
Delivered-To: admin@???
...
Return-Path: <support@???>
Received: from ourserver.ourdomain.com (ourserver.ourdomain.com. [111.222.333.444])
        by mx.google.com with ESMTPS id bn6si5779657wjc.154.2014.10.24.09.36.45
        for <admin@???>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 24 Oct 2014 09:36:46 -0700 (PDT)
Received-SPF: none (google.com: support@??? does not designate permitted sender hosts) client-ip=111.222.333.444;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: support@??? does not designate permitted sender hosts) smtp.mail=support@???;
       dkim=fail header.i=@ourdomain.com
Message-ID: <544a8023.8f59b40a.3abc.53e0SMTPIN_ADDED_BROKEN@???>
X-Google-Original-Message-ID: SHELLSHOCKCOMMANDS
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ourdomain.com; s=default;
    h=Resent-From:Resent-Date:Message-ID:Date:Subject:From:Cc:References:To; bh=...;
    b=...;
Received: from [74.208.184.251] (helo=USER)
    by ourserver.ourdomain.com with smtp (Exim 4.72)
    (envelope-from <support@???>)
    id 1Xhhr3-0002Z3-Fh
    for root@localhost; Fri, 24 Oct 2014 18:36:45 +0200
To:SHELLSHOCKCOMMANDS
References:SHELLSHOCKCOMMANDS
Cc:SHELLSHOCKCOMMANDS
Bcc:SHELLSHOCKCOMMANDS
From:SHELLSHOCKCOMMANDS
Subject:SHELLSHOCKCOMMANDS
Date:SHELLSHOCKCOMMANDS
Comments:SHELLSHOCKCOMMANDS
Keywords:SHELLSHOCKCOMMANDS
Resent-Date:SHELLSHOCKCOMMANDS
Resent-From:SHELLSHOCKCOMMANDS
----------


The recipient was 'roo@localhost', which is aliased to 'admin@???'
(gmail), so the mail was "forwarded" as is to gmail, which apparently

thought we pretended to be mata.com).
Is it because of the envelope-from?

What would I need to change/addto/removefrom the following config not to be
seen as pretending to be the original sender.
While we are at it:
2. prevent a non local/lan IP to post to root@localhost? 

----------
domainlist local_domains = @ : localhost : localhost.localdomain : doc.ourdomain.com : blog.ourdomain.com
domainlist relay_to_domains =
hostlist   relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
hide mysql_servers = ...
CHECK_ACCESS = ${lookup mysql ...}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
av_scanner = clamd:/var/run/clamd.exim/clamd.sock
tls_advertise_hosts = *
tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
never_users = root
trusted_users = bob
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
auth_advertise_hosts =
smtp_accept_max = 40
smtp_accept_reserve = 30
smtp_reserve_hosts = 111.222.333.0/24
begin acl
acl_check_rcpt:
  accept  hosts = :
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  accept  local_parts   = postmaster
          domains       = +local_domains
  accept  hosts         = +relay_from_hosts
          control       = submission
  accept  authenticated = *
          control       = submission
  require message = relay not permitted
          domains = +local_domains : +relay_to_domains
  require verify = recipient
  accept
acl_check_data:


  accept
acl_check_mime:
  deny message = Blacklisted file extension detected
       condition = ${if match \
                        {${lc:$mime_filename}} \
                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
                     {1}{0}}
  accept
begin routers
dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more
system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
localuser_virtual:
  driver = accept
  condition = CHECK_ACCESS
  retry_use_local_part
  transport = local_delivery_virtual
begin transports
remote_smtp:
  driver = smtp
  dkim_domain = ourdomain.com
  dkim_selector = default
  dkim_private_key = /etc/exim/dkim.private.key
  dkim_canon = relaxed
local_delivery_virtual:
  driver = appendfile
  maildir_format
  create_directory
  directory = /DATA/Maildir
  delivery_date_add
  envelope_to_add
  return_path_add
  user = 888
  group = 888
address_pipe:
  driver = pipe
  return_output
address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
address_reply:
  driver = autoreply
begin retry
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
^.*\.ourdomain\.com  no_reply@???   Frs
^.*\.ourlocaldomain  no_reply@???   SFfrs
begin authenticators
----------


Thx,
JD

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] EXPERIMENTAL_TPDA[exim] Need help configuring exim4 for smart hosting->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)