Exim - Prevent From Spoofing

[kubofonista]

Hi,

I'm have a problem with default Exim configuration:
User logged in on SMTP as [email protected] can send mails with spoofed From header, for example from [email protected] that is other user domain - not owned by [email protected]

Is it possible to block From header spoofing? Now, SMTP authorization is only theoretical when logged in user (via any account) can send mail as anyone other domain.

Best Regards

 

[scsi]

Yes its typically how it works.

 

[kubofonista]

Yeap, that's security bug for me - is it possible to fix it ?

 

[nobaloney]

Yeap, that's security bug for me - is it possible to fix it ?

I suppose it can be done, most likely by using a cutomized exim.pl or a customized exim.conf script, or both. How? I have no idea. If you dedide to figure it out and implement it successfully, be sure to let us know.

Jeff

 

[zEitEr]

Hello,

I'd guess I could do that for you (as well as other users who posted here) as a commerce service. For now as I far as I know nobody here is using anything of that kind. But if you want it and you are ready to pay, feel free to hire somebody from us for that kind of job.

Is it possible to block From header spoofing? Now, SMTP authorization is only theoretical when logged in user (via any account) can send mail as anyone other domain.

 

[kubofonista]

If you dedide to figure it out and implement it successfully, be sure to let us know.

Hi,

Yeap, I'm have now solution for this - acl Now authenticated user login must equal from header or mail is rejected. Now only problem is local users - they don't have domain in login, so they now can't send any emails.

Best

 

[kubofonista]

Hi again,

I can't edit my post so I have to write next - sorry

I have complete solution for this problem.
Now:

- unix user can send mail as domains that he own, as anyone login (for example user A have domain a.com and b.com - now he can send mail as [email protected]; [email protected]; [email protected] etc, he can't send mails as [email protected] beacuse c.com is not owned by he)
- smtp user can send mails only as his domain (for example user [email protected] can send mails only as [email protected]; not as [email protected] and not as [email protected])

This is it

 

[nobaloney]

Are you going to post example code?



Jeff

 

[kubofonista]

I must clean code before
Are you going to implement this fix in later DA versions?

 

[nobaloney]

I only develop the latest version of Spamblocker (currently SpamBlocker Version 4); whether or not DirectAdmin takes my code or implements their own is entirely up to them.

As for me, it depends on how simple it is to implement and leave turned off by default.

I wouldn't want to turn your code on by default on our servers because I want my clients to be able to use their email services, within reason, as their needs dictate. Of course I don't want them to abuse our systems but if they do we manage that through our terms of service.

Example, a client has multiple accounts with us, and wants to be able to send email out through our servers, but doesn't want to have to use multiple logins to send email.

Jeff