Re: [exim] Hit with some kind of hidden multiple recipients …

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] Hit with some kind of hidden multiple recipients relay hack?
Am 24.02.22 um 22:56 schrieb Henry S. Thompson via Exim-users:
> Jeremy Harris via Exim-users <exim-users@???> writes:
>
>> Start with your log. How was 1nKNYR-000bDv-0w submitted?
> 022-02-16 16:53:23
> 1nKNYR-000bDv-0w <= test@??? H=(ogcb16c7f19.openstack local) [103.104.169.173] P=esmtp S=1313
> 1nKNYR-000bDv-0w H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] Network is unreachable


This means, you have an openrelay running, not necessarily on port 25,
as the attacker did not use smtp-auth. He has send the mails directly,
unencrypted and without an auth from an external system.

How to fix:


acl_check_data:

  deny    condition  = ${if eq{$authenticated_id}{} {1}{0}}
              domains = ! +local_domains


Explanation: (short version)

if $authenticated_id == "" AND target-domainname NOT IN ( localdomains )
: reject

If the sender did not use smtp-auth to send a message to an external
domainname ( which is everything that is not hosted on your server ->
local_domain ),
it wasn't you and you don't want this.

If the sender doesn't use smtp-auth and wants to send it to your domain,
you want to accept this message, after the usual spam checks, as it's
for you.

If you have anti-spam, anti-virus or other checks, they may need to be
expanded for " condition  = ${if eq{$authenticated_id}{} {1}{0}}" as
those rules needs to work in the correct context. Changing your config
accordingly can be time consuming task, but you need to check every
single acl , if it needs an expansion for an empty smtp-auth check or a
correctly filled one.

And you need to advertise for auth and you need a loginvalidator like this:

plain:
 driver = plaintext
 public_name = PLAIN
 server_prompts = :
 server_condition = "${if and { \
                      {!eq{$2}{}} \
                      {!eq{$3}{}} \
                      {eq{1}{    ... check $2 (user) and $3 (pass)
against a db or passwdfile ... }"
 server_set_id = $2
 server_advertise_condition = *

The condition fails if:  user="" or pass="" or  check(user,pass) fails.

The Long version of this can be find in the exim docs under
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html