Exim prevent from non local domain

[neo-hippie]

Hello,

how can i prevent exim from accepting email from an non-local domain after a user has succesfully loged in.
basicly when poeple are using my smtp server for sending email from another account/domain.
they are fully authenticated to send email, but are using the wrong account.
this will effect my DKIM and SPF, as the server isn't authenticated to send email from that domain.

Thanks,

 

[scsi]

You can spoof any domain on any mail server. You are not going to stop it.

 

[neo-hippie]

Apperently it can be done.
http://techsadmin.blogspot.nl/2012/11/exim-hardening-practices.html
(and where you commented!) http://forum.directadmin.com/showthread.php?t=44929

at the bottom of the ACL list i've added this, wich does the trick. (do need more testing, but all comments are welkom!):

# ACL that is used after the DATA command
check_message:
deny
authenticated = *
condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
{ !eqi{$authenticated_id} {${address:$header_From:}} }\
}\
}
message = Your FROM must match your authenticated email user.

 

[nobaloney]

@scsi:

I believe the RFCs still allow it, and I do it all the time, sending all email through one IMAP account but with many different return addresses.

Yes, it does require manual configuration of DNS servers to SPF and DKIM settings to allow receipt by strict servers.

Lots of email senders don't allow it, including those from lots of ISPs.

@neo-hippie:

Check carefully to see if ACLs work; my recollection is they won't because the data ACL will be skipped if mail is coming from an authenticated login. Check carefully the order of accept and deny in the exim.conf file, or just do some testing.

And read some of the discussions on whether or not it's a good idea to use the data acl, as many servers don't wait around for it, and those which do can find sending delayed.

Jeff

 

[neo-hippie]

Hi Jeff, thanks for the feedback.

by default the exim.conf has the clamav also inside the data ACL.
that's why i chose that function.

first test are promising, when sending from an non local domain with auth local domain using smtp it sends an error.
also sending mail trough php's mail() is functioning perfect.

tomorrow i'll test some more.

any feedback is appreciated.

 

[neo-hippie]

Is there somebody who understands these ACL scripts?

i understand the above script compares Auth_id (what is it? login name? login domain?) with FROM or sender_address
but can it be modified to compare against all local domains?

so 1 user with multiple domains on the same server can use 1 login account.

 

[nobaloney]

Is there somebody who understands these ACL scripts?

Hopefully

John and I probably know them as well as anyone, but I know that I still refer to resources, documentation and examples a lot.

i understand the above script compares Auth_id (what is it? login name? login domain?)

My understanding is it's what you log in at. for example it could be a complete login email address (for virtual mailbox users) or a username (for the main email address which comes with a user, reseller, or admin account).

with FROM or sender_address
but can it be modified to compare against all local domains?

Possibly. I'm not sure.

Yo'd need to separate out @ if it exists, then take only the right side, then compare it to your list at /etc/virtual/domains. The problem is that the ACL language is designed to be fast, not feature-rich. so you might need to set a variable based on a cmpare, and then make decisions based on the value of the variable (we do this when we integrate ClamAV).

Asking at the Exim Users mailing list might be better; you'll find people there with much more ACL knowledge and expreience.

Jeff

 

[neo-hippie]

Hi Jeff,

Thanks a lot for the help.
i'll go and figure it out.

you're talking about these variables.
are they the same as the variables used in the Transport Section?
for example the uservacation states:
log = /etc/virtual/${domain}/reply/${local_part}.log

if i can use the ${local_part} in the ACL ?!

 

[nobaloney]

Likely dependent on which ACL, since before you accept the data you're dependent entirely on what's sent in the SMTP dialog.

Check the Exim documentation, chapter 42: Access Control Lists (exim.org).

Jeff

 

[neo-hippie]

Hi Jeff,

think i've solved it. final ACL is as follows:

  deny
        authenticated  = *
	sender_domains = !+local_domains
        condition = ${if or {\
	    { !eqi{$authenticated_id} {$sender_address} }\
            { !eqi{$authenticated_id} {${address:$header_From:}} }\
            }\
        }
        message  = Your FROM must match your authenticated email user.

perhaps you can implement it in the next SpamBlocker config file.
specially since more servers use SPF and DKIM checks.
or is there an easy way to make it an option to enable from within DirectAdmin?

 

[nobaloney]

I've edited your post so the code now stands out better.

But I don't think I'd make it a standard part of DirectAdmin's exim.conf. Mainly because if I did I couldn't use the standard exim.conf. Nor in my opinion could lots of others, because manyof us believe in giving our users choice.

However, the good news for you is that DirectAdmin and I are now working together to merge our exim.conf files, and once they're merged you may be able to talk staff into merging your suggestion into the official copy.

To start the procedure you should probably post a Feature Request. While I'll vote against it, we can see if there's interest from enough others to consider it.

Jeff

 

[neo-hippie]

well thanks Jeff. i need to learn how to do that. makes it more readable indeed.

You're absolutely right. it should benefit others to make it a standard.
but don't you think it should be because of the stricter email standards now a days?
more and more servers are using DKIM and SPF.

maybe it could become an option in directadmin.conf?

just saying. my problem is solved!
Thanks for all the input.