Exim 4 configuration suggestion (sender/recipient verification)

[wKkaY]

it's pretty obvious that an exim3->exim4 convertor script was used to generate the configuration file for DA's exim setup. IMHO it didn't include some crucial options.

firstly, would be sender and recipient verification.

the way it is configured now, i could send mail from whatever envelope sender i want. with sender verification, it at least restricts me to send from valid domains.

recipient verification is another important feature that needs to be in. i don't understand why no one has raised this issue before. anyway, as it is now, exim will accept mail to *any* recipient for domains that it serves. what happens next, if the recipient doesn't exist, is that a bounce mail is generated and sent to the envelope sender.

a better solution would be to reject the mail at SMTP time, right after RCPT TO:. otherwise, you may end up with double bounces when the bounces are sent to spoofed senders.

original exim.conf

check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
accept domains = +local_domains
accept domains = +relay_domains
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted

my proposed exim.conf

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

# added by wKkaY
require verify = sender

accept domains = +local_domains
endpass
verify = recipient

accept domains = +relay_domains
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted

 

[nobaloney]

require verify = sender

Good idea, and already included in the SpamBlocker version of exim.conf.

accept domains = +local_domains

Good idea, and already included in both the DA default exim.conf and in my Spamblocker version of exim.conf.

endpass
verify = recipient

Not required because any emails not specifically accepted will be denied by default. This definitely works as is; if you don't set up a catchall email to non-existent senders is denied.

For a better understanding, you might want to take alook at the well-commented Spamblocker version of exim.conf; you can find it here.

Jeff

 

[wKkaY]

Re: Re: Exim 4 configuration suggestion (sender/recipient verification)

endpass
verify = recipient

Not required because any emails not specifically accepted will be denied by default. This definitely works as is; if you don't set up a catchall email to non-existent senders is denied.

not required, but would be very important to have (in these days where rumpelstiltskin attacks are common). otherwise, the method of denial would be a bounce mail being generated and sent to the envelope sender. but i guess you would know that too (since your exim.conf has that too)

 

[nobaloney]

Yes, I do.

However, my guess is that it's not required to deny rather than bounce, for two reasons:

1) The distribution of exim.conf that comes with exim has this as the last deny in the ACL:

  # Reaching the end of the ACL causes a "deny", but we might as well give
  # an explicit message.

  deny    message       = relay not permitted

2) by default DA does deny for nonexistent emails unlss you've got a catchall set up.

Should I ask (exim author) Dr Hazel ?

Jeff

 

[wKkaY]

hold on a sec, before we continue, what is the default exim.conf for DA as of now? i admit that i'm new to DA so i don't know what the current versions are.

this is the configuration i found in the templates directory. is that the current version? if it is, then it doesn't fulfill #2 (DA's configuration of exim happily accepts the mails whether the recipient exists or not)

 

[nobaloney]

At first glance it appears to be the old file; it's in the midst of being replaced.

However even it shouldn't have a problem denying non-existent addresses; as I recall it worked properly for us before I upgraded to my spamblocked version.

I'm not running anymore, so I can't tell for sure, but according to exim documentation it should not result in email being accepted for nonexistent addresses unless you've got a catchall setup.

Perhaps it's time to take this discussion to the exim-users list or to Dr Hazel.

Jeff

 

[DirectAdmin Support]

Hello,

The exim.conf in the templates directory isn't even used. The exim.conf comes with the rpm. We generally forward people to http://files.directadmin.com/services/exim4.conf, it is also the older 4.24 version. The version we include in the 4.34 release is still only in the rpm's. I'll update everything once we including it with new installs.

John