Hi,
I received the following shellshock attempt on exim 4.72 (RedHat 6):
----------
Delivered-To: admin@???
...
Return-Path: <support@???>
Received: from ourserver.ourdomain.com (ourserver.ourdomain.com. [111.222.333.444])
by mx.google.com with ESMTPS id bn6si5779657wjc.154.2014.10.24.09.36.45
for <admin@???>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 24 Oct 2014 09:36:46 -0700 (PDT)
Received-SPF: none (google.com: support@??? does not designate permitted sender hosts) client-ip=111.222.333.444;
Authentication-Results: mx.google.com;
spf=neutral (google.com: support@??? does not designate permitted sender hosts) smtp.mail=support@???;
dkim=fail header.i=@ourdomain.com
Message-ID: <544a8023.8f59b40a.3abc.53e0SMTPIN_ADDED_BROKEN@???>
X-Google-Original-Message-ID: SHELLSHOCKCOMMANDS
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ourdomain.com; s=default;
h=Resent-From:Resent-Date:Message-ID:Date:Subject:From:Cc:References:To; bh=...;
b=...;
Received: from [74.208.184.251] (helo=USER)
by ourserver.ourdomain.com with smtp (Exim 4.72)
(envelope-from <support@???>)
id 1Xhhr3-0002Z3-Fh
for root@localhost; Fri, 24 Oct 2014 18:36:45 +0200
To:SHELLSHOCKCOMMANDS
References:SHELLSHOCKCOMMANDS
Cc:SHELLSHOCKCOMMANDS
Bcc:SHELLSHOCKCOMMANDS
From:SHELLSHOCKCOMMANDS
Subject:SHELLSHOCKCOMMANDS
Date:SHELLSHOCKCOMMANDS
Comments:SHELLSHOCKCOMMANDS
Keywords:SHELLSHOCKCOMMANDS
Resent-Date:SHELLSHOCKCOMMANDS
Resent-From:SHELLSHOCKCOMMANDS
----------
The recipient was 'roo@localhost', which is aliased to 'admin@???'
(gmail), so the mail was "forwarded" as is to gmail, which apparently
thought we pretended to be mata.com).
Is it because of the envelope-from?
What would I need to change/addto/removefrom the following config not to be
seen as pretending to be the original sender.
While we are at it:
2. prevent a non local/lan IP to post to root@localhost?
----------
domainlist local_domains = @ : localhost : localhost.localdomain : doc.ourdomain.com : blog.ourdomain.com
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
hide mysql_servers = ...
CHECK_ACCESS = ${lookup mysql ...}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
av_scanner = clamd:/var/run/clamd.exim/clamd.sock
tls_advertise_hosts = *
tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
never_users = root
trusted_users = bob
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
auth_advertise_hosts =
smtp_accept_max = 40
smtp_accept_reserve = 30
smtp_reserve_hosts = 111.222.333.0/24
begin acl
acl_check_rcpt:
accept hosts = :
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
accept hosts = +relay_from_hosts
control = submission
accept authenticated = *
control = submission
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
accept
acl_check_data:
accept
acl_check_mime:
deny message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
accept
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
localuser_virtual:
driver = accept
condition = CHECK_ACCESS
retry_use_local_part
transport = local_delivery_virtual
begin transports
remote_smtp:
driver = smtp
dkim_domain = ourdomain.com
dkim_selector = default
dkim_private_key = /etc/exim/dkim.private.key
dkim_canon = relaxed
local_delivery_virtual:
driver = appendfile
maildir_format
create_directory
directory = /DATA/Maildir
delivery_date_add
envelope_to_add
return_path_add
user = 888
group = 888
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
^.*\.ourdomain\.com no_reply@??? Frs
^.*\.ourlocaldomain no_reply@??? SFfrs
begin authenticators
----------
Thx,
JD