[exim] Exim relaying but shouldn't

Inizio della pagina
Delete this message
Reply to this message
Autore: Eric Grammatico
Data:  
To: exim-users
Oggetto: [exim] Exim relaying but shouldn't
Hi There,

I have an Exim server running, and it has been relaying spam....

I cleaned up the spool, updated the Exim version, asked users to change
password and restarted. I didn't find how spamers were able to relay
through my server.

From now, relaying is stopped, but one remain able to relay, here is a
sample line from main.log:

2022-09-26 16:15:24 [10] 1ocotI-00000A-0g <=
#xxxyyyy'uuss+zzz@??? H=(localhost) [45.123.190.53] P=esmtpsa
X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxxyyyy'uuss+zzz S=736
2022-09-26 16:15:31 [12] 1ocotI-00000A-0g => xxx.xxxx@???
<xxxx.xxxxxx@???> R=dnslookup T=remote_smtp H=xxxxxxx.xxxxxxx.xx
[195.141.89.98] X=TLS1.3:TLS_AES_256_GCM_SHA384:25
6 CV=yes K C="250 2.0.0 Ok: 1599 bytes queued as 4MblCR37H1zlq0LZ"
2022-09-26 16:15:31 [12] 1ocotI-00000A-0g Completed


I don't understand why is it relayed, here are extracts from my config:

---------------------------------------------------------------------------------------------------

#List of domains

domainlist local_domains = grammatico.me
#domainlist local_domains = @ : grammatico.me
domainlist relay_to_domains =
hostlist   relay_from_hosts = 163.172.165.90
#hostlist   relay_from_hosts = localhost : mail.grammatico.me


qualify_domain = grammatico.me


deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[#] : ^[.] : ^.*[@%!/|#+]

deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[#] : ^[./|] : ^.*[@%!#+] : ^.*/\\.\\./

accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify


accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify


require message = relay not permitted
          domains = +local_domains : +relay_to_domains


plain_server:
  driver                     = plaintext
  public_name                = PLAIN
  server_condition = ${run{/bin/sh -c "echo -e '$auth2\n$auth3' |
/usr/sbin/pwauth"}{1}{0}}
  server_set_id              = $auth2
  server_prompts             = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif


login_server:
  driver                     = plaintext
  public_name                = LOGIN
  server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' |
/usr/sbin/pwauth"}{1}{0}}
  server_set_id              = $auth1
  server_prompts             = <| Username: | Password:
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Looks like the user #xxxyyyy'uuss+zzz is authenticated, but for sure it
doesn't exist in my /etc/passwd, neither /etc/shadow

I have similar tentatives which are rejected:

2022-09-26 16:27:01 [48] H=mail.saipan.com (saipan.com) [202.128.0.121]
X=TLS1.2:AES256-GCM-SHA384:256 CV=no F=<> rejected RCPT
<"#xxxyyyy'uuss+zzz@???>: Restricted
characters in
 address

Any help would be very appreciated.

Thanks and best regards,

--
_/) Eric.