AUTH_BLOCK_SENDER_SPOOFING granular config-support

shanti

Verified User
Joined
Apr 8, 2009
Messages
90
Location
Wien / Vienna - Austria
Hi,

since the introduction of exim's AUTH_BLOCK_SENDER_SPOOFING in v1.680 some customers' mailclients and webapps
cannot send via that "old" way anymore resulting inaccording exim-reject-errors.

i would like to see a change in this code to accept granular configs like

/etc/virtual/example.com/spoofing_allowed
( # Format:
Code:
# authenticated_user:allowed_sender_address
[email protected]:[email protected]
[email protected]:[email protected]
)

and the implementation of an additional check like

Code:
        # NEW: Allow configured spoofing exceptions per domain
        condition = ${if exists{/etc/virtual/${domain:$sender_address}/spoofing_allowed}\
                      {${if !eq{${lookup{$authenticated_id:$sender_address}lsearch{/etc/virtual/${domain:$sender_address}/spoofing_allowed}}}{}}}\
                      {yes}\
                    }

to allow more control here , because this new limitation though is great but forces many webapps to change .. it would be nice to not just implement that temporary.

RFC
br
-c-
 
I'm pretty sure shanti did check it and discovered it's either on or off. Not granular.
Isn't granular another word for "detailed"? Because yes it's on or off. Off is the old way, I'm not native English and so don't understand what difference granular would be.
As far as I understood Shanti was not aware he could easily put it off again, but ofcourse I could be wrong due to this fact.

Unless he means to make multiple different options, but in that case he needs to be on the feedback forum for new suggesions. Or use customisations.
 
Thanks for sharing @shanti. We re not yet sure if this should be part of standard exim config file.

By the way there is no need to have custom exim.conf to use it. You can set this condition in the AUTH_BLOCK_SENDER_SPOOFING macro inside the /etc/exim.variables.conf.custom file. Instead of yes, no it can be this long expression that allows sender spoofing for some of the users without any further checks.

Example /etc/exim.variables.conf.custom:

Code:
AUTH_BLOCK_SENDER_SPOOFING = ${if exists{/etc/virtual/${domain:$sender_address}/spoofing_allowed}{${if !eq{${lookup{$authenticated_id:$sender_address}lsearch{/etc/virtual/${domain:$sender_address}/spoofing_allowed}}}{}}}{yes}}
 
Excellent! Thank you very much for this input, very helpful!

@fln:
Can the same system also be used for these features?

Background: We scanned the servers for plain connections and wrote to customers informing them that they need to switch over. However, a few customers are unable to do so, which is why we have not activated it yet global.

I would also be interested to know: are files that were not created by DA automatically included in /etc/virtual/${domain:$sender_address} by the DA user backup?
 
@Rolf B, yes for AUTH_ENABLE_CONDITION (Exim config). The Exim macros can contain any valid Exim string expansion expression. The docs already have an example where condition allows not encrypted connections from localhost.


Dovecot configuration is slightly different. Exceptions for Dovecot can be made with login_trusted_networks configuration option. However, this option not only allow clients to skip TLS but also to impersonate the sender IP address. It should only be used for really trusted clients.
 
Example /etc/exim.variables.conf.custom:

Code:
AUTH_BLOCK_SENDER_SPOOFING = ${if exists{/etc/virtual/${domain:$sender_address}/spoofing_allowed}{${if !eq{${lookup{$authenticated_id:$sender_address}lsearch{/etc/virtual/${domain:$sender_address}/spoofing_allowed}}}{}}}{yes}}
What would be the contents (format) of /etc/virtual/${domain:$sender_address}/spoofing_allowed?
 
Back
Top