I do believe that whitelist_domains has its uses and would not want to see that functionality go away but at the same time I can understand people's frustration with the open relaying hole it causes.
When I installed the Spamblocker 2 upgrade I followed the instructions here...
http://www.directadmin.com/forum/showthread.php?s=&threadid=10036&highlight=spamblocker
There is nothing in these instructions that indicated any potential security risk and nothing in the documentation inside the exim.conf file I have either (my version is SpamBlocker.exim.conf.2.0-release).
I understand that it is only a risk if people can guess what domains you have whitelisted but considering the problems that gmail (and others) have had keeping off of blocklists I would guess that many of us have included gmail.com in in the whitelist file. If I was a hacker looking for an open relay that is where I would start.
I was lucky, I don't believe my server was ever exploited that way (except by me as a test to determine that the problem did indeed exist.)
It seems that the solution is fairly simply, include some code like the following in the exim.conf file to check for forged headers. You will need one entry like this for each domain in your whitelist_domains file.
Code:
drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 20s
I believe that the best place to insert this is after "accept hosts = :" in the "local source whitelist" section and before the "sender domains whitelist" section in /etc/exim.conf. If you put them after the "sender domains whitelist" section I don't think they will work because exim will accept the email before checking for the forged header.
More information on this can be found here...
http://www.directadmin.com/forum/sh...7&perpage=20&highlight=delay 20s&pagenumber=4
Thank you to xemaps for his work on this and to Jeff for providing us with SpamBlocker in the first place.
It seems to me that it may be a good idea to include the forged mail checks in the default exim.conf file for some of the major domains (like gmail and paypal). I would think that doing so could help block email from scammers engaging in phishing schemes.