CB 2.0 exim do not check that local user is authorized to send e-mails

B

brtkm

Verified User
Joined
Jul 17, 2014
Messages
20
Hello,

In CB 2.0 exim do not check that local user is authorized to send e-mails

for example, you can send e-mail from [email protected] to [email protected] without any auth (spammers using this trick)

OURSERVER.COM - our server
HELLO.COM - spammer from internal network (in this case RBL and other stuff from ESF do not block him)
[email protected] - user which exist on OURSERVER.COM

Code: 
telnet OURSERVER.COM 25
Trying 8.8.8.8...
Connected to OURSERVER.COM.
Escape character is '^]'.
220 SMTP
ehlo HELLO.COM
250-OURSERVER.COM Hello HELLO.COM [8.8.4.4]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [email protected]
250 OK
rcpt to: [email protected]
[B][COLOR="#FF0000"]250 Accepted
[/COLOR][/B]data
354 Enter message, ending with "." on a line by itself
Subject: URGENT BANK TRANSFER

fix for this issue (should be added to exim.conf)

Code: 
deny hosts = +auth_relay_hosts
        condition = ${if eq{${lookup{${lc:$sender_address_domain}}partial1-lsearch{/etc/virtual/domains}{true}{false}}} {true} }
                message = authentication required / you try send e-mail without AUTH
        !authenticated = *

final effect:

Code: 
$ telnet OURSERVER.COM 25
Trying 8.8.8.8...
Connected to OURSERVER.COM.
Escape character is '^]'.
220 SMTP
ehlo HELLO.COM
250-OURSERVER.COM Hello HELLO.COM [8.8.4.4]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [email protected]
250 OK
rcpt to: [email protected]
[B][COLOR="#008000"]550 authentication required / you try send e-mail without AUTH[/COLOR][/B]

SPF in most cases default is with ~ not with - so SPF is not solution for this issue

What you think about this case?
 
Last edited:
Hello,

Here is what John replied when I asked him the same question a while ago:

Authentication is only required if the "RCPT TO" is not local to the server you're connected to.If RCPT TO exists on the box you're connected to, no authentication is required. This is how a server receives email from external servers. A server cannot hand out a user/pass to everyone that wants to send them an email.
Click to expand...


Similar thread: http://forum.directadmin.com/showthread.php?t=52044
Post #8 http://forum.directadmin.com/showthread.php?t=52044&p=267665#post267665
 
Maybe this can be useful, are you sure you have nothing in your whitelist?

cat /etc/virtual/whitelist*

Maybe you've whitelisted the domain.

Regards
 
Ok nevermind, i've just tested it and i've got the same result with no whitelist file.

Code: 
telnet 93.63.162.60 25
Trying 93.63.162.60...
Connected to 93.63.162.60.
Escape character is '^]'.
220 Orange01.CrazyNetwork.it ESMTP Exim 4.87 Mon, 25 Jul 2016 16:15:14 +0200
ehlo AMAZON-WEB-SERVICES-SERVER-DNS
250-Orange01.CrazyNetwork.it Hello AMAZON-WEB-SERVICES-SERVER-DNS
250-SIZE 26214400
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
mail from: [email protected]
250 OK
rcpt to: [email protected]
250 Accepted
data
354 Enter message, ending with "." on a line by itself
Subject: URGENT BANK TRANSFER
.
550-Your message was classified as SPAM.  Please add more content, cut down on
550-HTML links, use fewer naughty words etc.  Also, ask your IT dept to make
550-sure your mailserver has REVERSEDNS, SPF and is not on any black lists.
550 Your score: 118
Connection closed by foreign host.

I guess that force authentication also for internal e-mail would be actually very useful.

Regards
 
You must log in or register to reply here.
Back
Top