Am 24.02.22 um 22:56 schrieb Henry S. Thompson via Exim-users:
> Jeremy Harris via Exim-users <exim-users@???> writes:
>
>> Start with your log. How was 1nKNYR-000bDv-0w submitted?
> 022-02-16 16:53:23
> 1nKNYR-000bDv-0w <= test@??? H=(ogcb16c7f19.openstack local) [103.104.169.173] P=esmtp S=1313
> 1nKNYR-000bDv-0w H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] Network is unreachable
This means, you have an openrelay running, not necessarily on port 25,
as the attacker did not use smtp-auth. He has send the mails directly,
unencrypted and without an auth from an external system.
How to fix:
acl_check_data:
deny condition = ${if eq{$authenticated_id}{} {1}{0}}
domains = ! +local_domains
Explanation: (short version)
if $authenticated_id == "" AND target-domainname NOT IN ( localdomains )
: reject
If the sender did not use smtp-auth to send a message to an external
domainname ( which is everything that is not hosted on your server ->
local_domain ),
it wasn't you and you don't want this.
If the sender doesn't use smtp-auth and wants to send it to your domain,
you want to accept this message, after the usual spam checks, as it's
for you.
If you have anti-spam, anti-virus or other checks, they may need to be
expanded for " condition = ${if eq{$authenticated_id}{} {1}{0}}" as
those rules needs to work in the correct context. Changing your config
accordingly can be time consuming task, but you need to check every
single acl , if it needs an expansion for an empty smtp-auth check or a
correctly filled one.
And you need to advertise for auth and you need a loginvalidator like this:
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{eq{1}{ ... check $2 (user) and $3 (pass)
against a db or passwdfile ... }"
server_set_id = $2
server_advertise_condition = *
The condition fails if: user="" or pass="" or check(user,pass) fails.
The Long version of this can be find in the exim docs under
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html
