Exim user auth validation

N

Nerigal

Verified User
Joined
Jul 6, 2009
Messages
123
hi,

i got a question about how exim validate senders/users


this is hard for me to explain it, let me try...

what i means is if you would, like example, send an email using your address email from your hosting service example : [email protected]

you use smtp mail.mydomain.com .... this requeried authentication with directadmin username and password same as the pop server but...

how exim verify if the authenticated user [email protected] send email using HIS domain, not an other instead ?

so there must be a way to verify the domain smtp used versus the domain from the sender ? both must match right ?

thanks.
 
Hello,

Exim does not do that, you can send emails from the server with any valid username and password. And that doesn't even check whether you're pointing a sender address with a domain hosted on any other server.
 
i know spf record are great for that but that would be nice to setup an acl that verify if the domain of the sender match with the smtp used to send the email in question and domainlist local_domains

i dont have enough skills to write exim acl rules but i think it should look something like

accept hosts = +relay_hosts
accept domains = +local_domains
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
 
Last edited:
first. ive read your post and im pretty sure RFC wouldn't disallow to block authenticated user to use your smtp to send email from a domain that there aren't owner of... and juste a precision... this is NO concerns about Return-Path: <[email protected]>
domains FROM must match smtp_domain_host from authenticated users

secondly... you might be agree with me, users are stupid and most of time they don't event know what they are doing so it is thoucher to blame theme and a waist of time... the job of the admin is to moderate what the can do and what they can't do...

thirdly... RFC will not help use to get our ips unflag because we get flagged as open relay because authenticated users send email from none owned domain.

so if anyone has a clue how to add acl to fix this thanks :)
 
Ok, you might want to suggest that to Jeff, or do it yourself. Or ask in Exim-mailing lists. I personally do not know much about exim's ACLs and conditions. But it should not be that hard, but it's not that easy at the same time.

One more thing I would add. I personally do and we in our company do use one pair of login (username) and password to send emails out with different domains in FROM. Of course we set valid SPF for such domains.

Please, update us, if you find any solution.

P.S. All time earlier and now, I've been talking exactly about FROM header, not about Return-Path.
 
zEitEr said:
P.S. All time earlier and now, I've been talking exactly about FROM header, not about Return-Path.
Click to expand...

i know the answer from jeff talking about return address was obscure to me...
 
Last edited:
zEitEr said:
Ok, you might want to suggest that to Jeff
Click to expand...
The reason I'm not going to do it is because it takes away functionality I need.

For example, I send email from my local desktop with multiple return addresses at multiple domains, some of which are hosted on different servers, and it's easier for me to use only one server for outgoing email.

I'd bet that other people do it as well, and I'm not even sure of all MUAs allow you to use multiple outgoing servers.

Your needs may vary. But I recomment you consider your clients' needs as well.

Jeff
 
i guess i miss understand something because... like i said there is noting regarding the return-path...

and at last.. if you really need multiple domain return address.. why not use just 1 return address witch is a forwarder to your return list address this method would be much more standard no ?
 
I presume you're responding to me, but your response doesn't seem to address my needs. If I write from (for example) [email protected], and another from [email protected]. I want both of them to go out from server.example.com even thugh example.net is on server.example.net.

Unless I'm missing something the requested change wouldn't let me send emails with a return address of [email protected] because it's not hosted on server.example.com.

And even more important, my clients with the same needs will complain, and if I can't help them (more code and another file to check and maintain) they'll migrate to a host who will.

What am I missing?

Jeff
 
I agree with Nerigal, this would be useful to add a layer of protection against abuse.
Somebody on the server could send dkim signed messages (with a default DA setup) that would look legit and the owner of the domain would be very unhappy.

I think it's not too much to ask to have one SMTP user per domain.
 
jlasman said:
I presume you're responding to me, but your response doesn't seem to address my needs. If I write from (for example) [email protected], and another from [email protected]. I want both of them to go out from server.example.com even thugh example.net is on server.example.net.

Unless I'm missing something the requested change wouldn't let me send emails with a return address of [email protected] because it's not hosted on server.example.com.

And even more important, my clients with the same needs will complain, and if I can't help them (more code and another file to check and maintain) they'll migrate to a host who will.

What am I missing?

Jeff
Click to expand...


im sorry for the late response.. being really busy

actually i understand your problem but sound not that big if you start with this concept.. deny -> allow

i try to explain myself ...

if you are really restrictive on every way like this explicit situation where exim.conf disallow an email from [email protected] to be send by smtp.exemple.com
that give you way better control of what going on with your share host servers..
and if you absolutely need to send email from [email protected] there is still a whitelist_domain file that can be use to allow domain that can use this actual smtp (smtp.exemple.com)
so you know exactly who can use your smtp to send email and avoid authenticated user to use smtp.exemple.com to send email from [email protected] or whatever
 
Last edited:
So either I have to notify all my clients, ask them to tell me which return addresses they use, and then manually update a whitelist file.

And then when they add another one, send me an email, and then wait for me to add it to the whitelist.

Seems like a lot of work for me, a lot of inconvenience for my clients.

Write the code, test it, tell me where it goes, and then maybe when I add DKIM to my exim.conf codebase I'll add it, but commented out by default.

Jeff
 
jlasman said:
So either I have to notify all my clients, ask them to tell me which return addresses they use, and then manually update a whitelist file.

And then when they add another one, send me an email, and then wait for me to add it to the whitelist.

Seems like a lot of work for me, a lot of inconvenience for my clients.

Write the code, test it, tell me where it goes, and then maybe when I add DKIM to my exim.conf codebase I'll add it, but commented out by default.

Jeff
Click to expand...

like i said previously this has notting to do regarding return address witch is the Return-path: <[email protected]>
 
Last edited:
So please explain in simple terms:

Can I send an email pretending to be [email protected]?

Can I send an email pretending to be [email protected]?

Without getting the provider involved?

How, and what's the different.

Sorry, I need the first-grader's version; I'm confused.

Jeff
 
Well, you can't do that now, so why would putting in place more restrictive rules let you do that?

What we need is to enforce a rule that says that you can only send an email from *@domain1.com if you're logged in as [email protected]

If your clients have more than one domain, simply educate them and explain to them that they wouldn't appreciate it if [email protected] could send emails looking to be sent from their domain1.com domain.
I'm sure they would make the effort of configuring their email client properly so that they use one SMTP account per domain.

I think the best solution would be to check if the domain is owned by the same user. That way everybody is happy. Clients can use one account for all their local domains and abusers cannot use someone else's domains.
 
interfasys said:
Well, you can't do that now, so why would putting in place more restrictive rules let you do that?
Click to expand...
I can do that now. I can put [email protected] into my From field of my desktop email client, and I can send the email through my webhosting provider (which happens to be me).

In fact I was quite embarrassed quite a few years ago (probably last century) when I showed someone how easy it was to do by sending him an email doing exactly that, using my then ISP (ibm.net, no longer in the ISP business). Then I forgot to change it back, and later that day sent an email to my account rep at Waggener Edstrom (Microsoft's PR company). I noticed it as it was going out and I immediately called her to let her know. Fortunately she had a great sense of humor.

In spite of the risks, the RFCs require it. Not that I'd object to changing it if it appeared reasonable, but my problem is still the support issues it would engender when my clients want to send email from, for example, [email protected].

Did you know that Squirrelmail allows it (Options : Advanced Identities), probably other webmail clients as well.
What we need is to enforce a rule that says that you can only send an email from *@domain1.com if you're logged in as [email protected]
Click to expand...
Maybe I'm missing the concept of logged in as. What do you mean by that?
If your clients have more than one domain, simply educate them and explain to them that they wouldn't appreciate it if [email protected] could send emails looking to be sent from their domain1.com domain.
Click to expand...
But from most email accounts, they can.
I'm sure they would make the effort of configuring their email client properly so that they use one SMTP account per domain.
Click to expand...
But that doesn't fix it; you can easily have microsoft.com as a domain on the server.
I think the best solution would be to check if the domain is owned by the same user. That way everybody is happy. Clients can use one account for all their local domains and abusers cannot use someone else's domains.
Click to expand...
And it wouldn't help at all if they wanted to use [email protected].

I believe the best way to handle it would be to create a system whereby if the email were sent to a DirectAdmin SMTP server it were bounced with a message including a clickable link for the user to prove the email address is his/hers, by getting a special email to the from address which needs to be vetted, and having to reply to allow it.

All that automation is well beyond the scope of what I want to do, but if you do it, I'll consider adding it to my exim.conf code base.

Jeff
 
I can do that now. I can put [email protected] into my From field of my desktop email client, and I can send the email through my webhosting provider (which happens to be me).
Click to expand...
I never checked before, but it seems that the current exim.conf lets users do that. I thought this had been plugged a long time ago.
Would you happen to have the RFC handy?

Maybe I'm missing the concept of logged in as. What do you mean by that?
Click to expand...
Authenticated user.

But from most email accounts, they can.
Click to expand...
I don't think gmail lets you send emails showing as coming from a different account. They let you play with the reply-to or you can use your own domain as part of their apps offering, but that's it.

But that doesn't fix it; you can easily have microsoft.com as a domain on the server.
Click to expand...
You can't do that if you have tight checks in place.
http://www.directadmin.com/features.php?id=752

And it wouldn't help at all if they wanted to use [email protected].
Click to expand...
Indeed, but if they want to send emails that appear as coming from gmail, then they should use gmail's SMTP.

Using smtp servers that have nothing to do with the domain names used in the "From" is one of the best way of getting your emails flagged as spam anyway.

I believe the best way to handle it would be to create a system whereby if the email were sent to a DirectAdmin SMTP server it were bounced with a message including a clickable link for the user to prove the email address is his/hers, by getting a special email to the from address which needs to be vetted, and having to reply to allow it.
Click to expand...
That's one way of doing things, but I believe in doing things properly and in educating people. It's usually easier to do with SMEs as their IT department will configure things for users...

Next time I'll look at my SMTP code, I'll see if I can update the rules to make them stricter and will post them on here for people that need tighter rules.
 
Last edited:
interfasys said:
I never checked before, but it seems that the current exim.conf lets users do that. I thought this had been plugged a long time ago.
Click to expand...
It always has.
Would you happen to have the RFC handy?
Click to expand...
Can't find it. I'll ask for some input on exim-users.
Authenticated user.
Click to expand...
That's not quite the same as logged in as which implies some continuous state, but thanks for the clarification.
I don't think gmail lets you send emails showing as coming from a different account. They let you play with the reply-to or you can use your own domain as part of their apps offering, but that's it.
Click to expand...
No, they use the method I mentioned in my last post, to let you add any email address you use:

http://mail.google.com/support/bin/answer.py?answer=22370
You can't do that if you have tight checks in place.
http://www.directadmin.com/features.php?id=752
Click to expand...
So you're suggesting that we're resposible, in advance, for figuring out the thousands, tens of thousands, hundreds of thousands, millions, even, of domains that need to be in the list, or are you only interested in protecting microsoft, google and the like?
Indeed, but if they want to send emails that appear as coming from gmail, then they should use gmail's SMTP.
Click to expand...
Which mens that your unsoophsticated clients have to figure out how to set that up. Is it even possible to use multiple outgoing MTAs with all email clients your users may depend on? I know it is with mine, I know it is with Outlook and OE, but I dont know if it is with all. Do you?
Using smtp servers that have nothing to do with the domain names used in the "From" is one of the best way of getting your emails flagged as spam anyway.
Click to expand...
FUD. Unless you can point to something.
That's one way of doing things, but I believe in doing things properly and in educating people. It's usually easier to do with SMEs as their IT department will configure things for users...
Click to expand...
That's the way Google does it; see my link above. Not to say they're the end all and be all, but they put more money, thought and effort into it than I have time for.
Next time I'll look at my SMTP code, I'll see if I can update the rules to make them stricter and will post them on here for people that need tighter rules.
Click to expand...
Which is the way it should be. The whole point of open-source is that you can make the changes you want.

Jeff
 
No, they use the method I mentioned in my last post, to let you add any email address you use:

http://mail.google.com/support/bin/a...y?answer=22370
Click to expand...
and they specify that it's not recommended for professional use...

So you're suggesting that we're resposible, in advance, for figuring out the thousands, tens of thousands, hundreds of thousands, millions, even, of domains that need to be in the list, or are you only interested in protecting microsoft, google and the like?
Click to expand...
It's better than nothing. Scammers are always trying to fool people into thinking they're one of the well known brands. Look at what just happened to Comodo.

Which mens that your unsoophsticated clients have to figure out how to set that up. Is it even possible to use multiple outgoing MTAs with all email clients your users may depend on? I know it is with mine, I know it is with Outlook and OE, but I dont know if it is with all. Do you?
Click to expand...
Works fine with Thunderbirds and most smartphones. Most "unsophisticated" users will probably be using Outlook, OE, Thunderbird or Mail and they all support the creation of multiple SMTP servers.
It's something you do once anyway.

FUD. Unless you can point to something.
Click to expand...
I'm surprised by your reaction here, because you've been around long enough to have read about and experienced it. It's one of the first thing we look at when an email looks suspicious.
Just look at Google's statement regarding the use of an external account.

That's the way Google does it
Click to expand...
Indeed, they recommend you use your SMTP server to send emails, so start educating your users ;)
 
Last edited:
You must log in or register to reply here.
Back
Top