Exim user auth validation

[nobaloney]

It's better than nothing. Scammers are always trying to fool people into thinking they're one of the well known brands. Look at what just happened to Comodo.

It may not be better than nothing. If you block people from sending as (for example microsoft) but not a small local bank, and the small local bank takes a loss from someone using your server to send phish-bait, they could easily argue in court in front of nonsophisticated jurors, that you know of the possibility, as evidenced by your disallowing people to do it as microsoft) and didn't protect them with the same level of care. You could (at least in the U.S.) easily lose. No, I'm not a lawyer, but I did ask my lawyer about this specific issue.

I'm surprised by your reaction here, because you've been around long enough to have read about and experienced it. It's one of the first thing we look at when an email looks suspicious.

It may be the first thing you look at, but it's not the first thing that spamblockers look at. That's why I call it FUD. If you can prove any instances of spamblockers looking at that, please do.

My understanding is that best practice requires that you check mx for forward and backward DNS match, but that you should never check against sender domain. Sure you can use SPF flag for authorized senders, but most of us allow our users to send from anywhere and so publish permissive DNS. Note that our default SpamBlocker file does check against phishermen using the PayPl domain to send email, but only for the PayPal domain. Perhaps based on what my attorney said, I may need to remove that.

Just look at Google's statement regarding the use of an external account.

Indeed, they recommend you use your SMTP server to send emails, so start educating your users

Users would be best served by using their ISP's outgoing email account. And I'd bet that's exactly what Google means. We actually tell our users to do that if they can, but if they travel and use wifi, they often can't.

I'm not going to continue to discuss this ad infinitum. It's obviously we agree as we are entitled to do.

Please feel free to publish your own file and give DirectAdmin users a choice. You don't even need to start from scratch as I did; my work is open-source under the GNU General Public License, Version 2.

Jeff

 

[Nerigal]

Hi, im sorry for the late reply once again but i think interfasys have well explained my idea about disallow NOT owned domain email to be send from our smtp.

Lets help the clarification.

It may not be better than nothing. If you block people from sending as (for example microsoft) but not a small local bank, and the small local bank takes a loss from someone using your server to send phish-bait, they could easily argue in court in front of nonsophisticated jurors, that you know of the possibility, as evidenced by your disallowing people to do it as microsoft) and didn't protect them with the same level of care. You could (at least in the U.S.) easily lose. No, I'm not a lawyer, but I did ask my lawyer about this specific issue.

Ive been involved in legal threat about phish-bait and what i can say is you will never be involved in legal procedure for a domain you do not have responsibly of...

If a domain you own of use or "publish" a phish-bait you will be notice to fix the problem... and maybe keep 7 days old logs for investigate but you are much more considered as a victim then anything else.. depend how you cooperate. Haven't seen anything going further and anyway

This new option submitted is completely custom and a none standard feature witch legally as no value at all "not a RFC".

You block people using you smtp as an open relay by enabling authenticated = *
Actually you protect every single domain you do not own by blocking your authenticated users from sending email threw domains they are not owners of.

this is the basic of the security concept deny all -> allow what need to be allowed.

It may be the first thing you look at, but it's not the first thing that spamblockers look at. That's why I call it FUD. If you can prove any instances of spamblockers looking at that, please do.

My understanding is that best practice requires that you check mx for forward and backward DNS match, but that you should never check against sender domain. Sure you can use SPF flag for authorized senders, but most of us allow our users to send from anywhere and so publish permissive DNS. Note that our default SpamBlocker file does check against phishermen using the PayPl domain to send email, but only for the PayPal domain. Perhaps based on what my attorney said, I may need to remove that.

checking mx for forward and backward DNS match is not an option externally why ? shared hosting... im sending an email from a smtp mail.exemple.com that resolve to ip 205.37.12.84

the from email is [email protected]
whatever.com is still an "owned domain" from mail.example.com but do not resolve at 205.37.12.84

so mx lookup will not solve the actual problem.

From a security point of view, SPF record is the desperate solution to prevent smtp's to send mail pretending a domain possession that is wrong but only at the back end of the email transaction...

This is the sad result of open relay "spammer's" that we know well about
and some ,in my opinion, poorly secured smtp server that let goes out anything from there server even if authentication is required.

I got a cool example for you. The past week ive been so much busy because ive caught some of my users being infected by a virus that take the default configured account to send an email from [email protected] witch is the virus... all users ive caught had there hosting out going mail server configured with authentication and custom smtp port.

The result of this is one of my server's ip got flagged.

With this new submitted option, no email using [email protected] would come out of my server even if the user sending emails is authenticated and SPF record do not protect you at all from that kind of situation even ups use SPF record or not.

The funny thing is when this happen i was like..omg just talking about a solution to prevent this **** lol

Users would be best served by using their ISP's outgoing email account. And I'd bet that's exactly what Google means. We actually tell our users to do that if they can, but if they travel and use wifi, they often can't.

I'm not going to continue to discuss this ad infinitum. It's obviously we agree as we are entitled to do.

Please feel free to publish your own file and give DirectAdmin users a choice. You don't even need to start from scratch as I did; my work is open-source under the GNU General Public License, Version 2.

Jeff

Actually i wouldn't talk about this here if i could solve this security failure myself,
the rules would already be enabled in the exim.conf

thanks

 

[nobaloney]

I miswrote in my pregvious email: what I mean to write as that we can agree to disagree.

It appears that your lawyer and mine disagree, and that's fair, too. My lawyer told me I should always consider all possibilities and never expect a case to go one way or the other, but always prepare for all possibilties.

If you don't understand what you need to match for rDNS (and it appears you may not), then please read about this elsewhere as I don't have the time to write it over and over again each time it comes up.

You've made it clear that you know what to do that I don't do, so it seems to me you could take the time to write (or rewrite the exim.conf file yourself. It's taken me many man-months of time, and I'm fairly happy with it.
You could of course hire me someone else to do it the way you want it done for your server(s).

Perhaps you should ask on the exim-users list to see if someone else is doing it the way you like, and just rewrite that to work with DirectAdmin.

This is my last post on this issue. Someone please remind me if I forget.

Meanwhile if someone else wants to discuss it with you here that's of course fine with me.

Jeff

 

[Reikor]

Hi everyone, i have a server with DA, latest version.

One of mi clients get his CPU hacked, and someone stole his emails passwords.

The hacker use the user and password to login with smtp server to send a very huge amount of spam.
I change the emails address password and then the hacker stop to send spam.

Few days later my stupid client get hacked again, but this time i dont know where are mails comming from, i only can see emails are in the /etc/virtual/usage/user.bytes but there is no login user, no login attempts, no ip from, is all local.
I try to find some web script based or something like that but i dont find anything.

I only know this hacker is sending mails with a from roberta.
I send logs with what i have in mainlog of exim to see if someone can help me.

[root@tera1 exim]# grep 1Q6RXA-00008k-9b mainlog
2011-04-17 04:07:24 1Q6RXA-00008k-9b ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host ASPMX.L.GOOGLE.COM [74.125.157.27]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 x41si9056848yhc.90
2011-04-17 04:07:24 1QBM4q-00033H-Tf <= <> R=1Q6RXA-00008k-9b U=mail P=local S=8032 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2011-04-17 04:07:25 1Q6RXA-00008k-9b Completed
[root@tera1 exim]# grep 1QBM4q-00033H-Tf mainlog
2011-04-17 04:07:24 1QBM4q-00033H-Tf <= <> R=1Q6RXA-00008k-9b U=mail P=local S=8032 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2011-04-17 04:07:25 1QBM4q-00033H-Tf => [email protected] F=<> R=lookuphost T=remote_smtp S=8162 H=vip-us-br-mx.terra.com [208.84.244.133] C="250 2.0.0 Ok: queued as 32F6E5DF5E791"
2011-04-17 04:07:25 1QBM4q-00033H-Tf Completed
[root@tera1 exim]#



Like you see, if some ruls like the one who discuss in this post whas enable to configure in someplace the FROM email have to be blocked and not spam allowed.

 

[Nerigal]

try this...

cat /var/log/exim/mainlog | grep -P '.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*' | awk ' /.*/ { print gensub(/^(.*)T=.*from(.*)$/, "\\1 \\2", "g"); }' | awk '{ print $8"  "$11"  "$14 }' | tr -d '[' | tr -d ']' | sed 's/A=login://g' | tr -d '<' | tr -d '>' |  more

this should return you : IP emailuser fromemail

cat /var/log/exim/mainlog | grep -P '.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*' | awk ' /.*/ { print gensub(/^(.*)T=.*from(.*)$/, "\\1 \\2", "g"); }' | awk '{ print $8 }' | tr -d '[' | tr -d ']' | uniq -c | awk ' { if ($1 > 3000 ) print $2  }' | more

this string should return you adresse IP only if there is more then 3000 match to prevent false positive so you can | xargs whatever
to ban ip adresse

this string doesn't work with system user

i dont know what kind of firewall you use but i will post a new string for CSF firewall to bypass the security fail in exim.conf

 

[nobaloney]

i dont know what kind of firewall you use but i will post a new string for CSF firewall to bypass the security fail in exim.conf

If there's a security issue in the exim.conf file please let me know so I can get it fixed.

Thanks.

Jeff

 

[Reikor]

try this...

cat /var/log/exim/mainlog | grep -P '.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*' | awk ' /.*/ { print gensub(/^(.*)T=.*from(.*)$/, "\\1 \\2", "g"); }' | awk '{ print $8"  "$11"  "$14 }' | tr -d '[' | tr -d ']' | sed 's/A=login://g' | tr -d '<' | tr -d '>' |  more

this should return you : IP emailuser fromemail

cat /var/log/exim/mainlog | grep -P '.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*' | awk ' /.*/ { print gensub(/^(.*)T=.*from(.*)$/, "\\1 \\2", "g"); }' | awk '{ print $8 }' | tr -d '[' | tr -d ']' | uniq -c | awk ' { if ($1 > 3000 ) print $2  }' | more

this string should return you adresse IP only if there is more then 3000 match to prevent false positive so you can | xargs whatever
to ban ip adresse

this string doesn't work with system user

i dont know what kind of firewall you use but i will post a new string for CSF firewall to bypass the security fail in exim.conf

i know how to get the ip adddress, the problem is that ip address like you can see in the log is 127.0.0.1 .

My problem es Where did this email came from! is like a ghost tryin to reach an email account, its like a bounce sended from a ghost, have no originating point. There is no Serial that match so i can trace where the email begin and who wrote that mail. the inly thing i know is under a domain, but i only get a serial like you can see in the log and a 127.0.0.1 ip, and that is a spam generated by a hacker. i have no idea how this hacker create this email and i have no way to trace it back in the logs!

Jeff i think this is a serius thing.

to put it clear, a hacker send a lot of mails, using a client domain, but i have no way to know how he create the mails because the serials of the mainlog dont show me other way that it is, so i cant find out how this guy wrote the mail and send it trough my mail server. I dont know how he autentify, i dont know why my server send FROM @terra.com.br, and i have to change in the conf the part of * * F,2h,15m; G,16h,1h,1.5; F,1d,8h
To 1 day at the end because this hacker send a serius amount of mails, and the mailserver is procesing them, because i cant list the directory /var/spool/exim/input because it has millions of files.

 

[Reikor]

Y execute the comand you give me.

This is the result.

P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]
P=esmtpa [email protected]

 

[nobaloney]

Did you remove the 127.0.0.1 as an authorized relay in exim.conf? While it may break some php programs sending email, it will offer better security.

We leave it by default because of legacy issues; many programs need it. But if you need to remove it, then remove it, and restart exim.

If you're using the latest Version of my SpamBlocker powered exim.conf file for DirectAdmin, Version 4.1 (or 4), then look for #EDIT#16.

Jeff

 

[Nerigal]

ya i noticed that would happen because i haven't find yet how make grep -P return only the () that match...

actually your problem look much more like a .sendme.php script hidding somewhere in one of your web account...

you can still add [email protected] in the blacklist_senders file or even block the domain terra.com.br that will give you time to find where it come from and so your server doesn't get flagged as spammer.

let me see your log structure by doing this

cat /var/log/exim/mainlog | grep "A=login:" | head -n 10

mainlog or mainlog.1 ... i just assume the log file
and then try this to

cat /var/log/exim/mainlog | grep "A=login:" | grep "[email protected]" | head -n 10


and finally this

an alternative to grep that seams to be good try this and let me know

cat /var/log/exim/mainlog | perl -nle 'print "$1\t$2\t$3" if /.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*from\s\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*/'

post those result plz

if nothing is return, probably no auth is use to send email so must be a hidding script on your server and so since it is local host no need to use authentication depending on your exim.conf

thanks

 

[Nerigal]

and btw with this string i got the best surprise that further caught hacked account that would send email from my server has a relay...i found some of my client (some jerk) trade/sold or what ever there auth access at other buissness that has notting to do with the hosting compagnie that i work for....awesome

 

[nobaloney]

Or used an easily guessed password, or got hacked, or had his email login credentials sniffed somewhere on the Internet, while it was being sent from his local machine to your server.

Never assume criminal activity when simple incompetence will do.

Jeff

 

[Nerigal]

Or used an easily guessed password, or got hacked, or had his email login credentials sniffed somewhere on the Internet, while it was being sent from his local machine to your server.

Never assume criminal activity when simple incompetence will do.

Jeff

when i see some email account being created in the control panel like [email protected]

and so after that i can see this user [email protected]
under exim log for different domains from...harder to pretend it is incompetence or a mistake...

 

[Nerigal]

Hi everyone here some updates

this is probably the best way to explain what i was looking for.

acl_check_message:

deny message = Illegal FROM adresse domain
hosts = @[]
condition = ${if or {\
{!match_domain{${domain:$rh_From:}}{+local_domains}}\
{!match_domain{$sender_address_domain}{+local_domains}}\
}{yes}{no}}

currently running it and work great.

 

[handrea]

Hello Nerigal,
thank you for the update, unfortunately is not working for me. Did you assigned the acl_check_message to acl_smtp_data section? This is my exim.conf code:

[FONT=Georgia][FONT=Courier New]acl_smtp_data = check_message

[...]

[/FONT][FONT=Courier New]check_message:
 deny message = Spoof detected. Illegal FROM address domain
  hosts = @[]
  condition = ${if or {\
    {!match_domain{${domain:$rh_From:}}{+local_domains}}\
    {!match_domain{$sender_address_domain}{+local_domains}}\
    }{yes}{no}}[/FONT]

[/FONT]

Is it correct? Thank you!

 

[Nerigal]

eum no you should have this in the exim.conf

acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_recipient
acl_smtp_data = acl_check_message


and then at the
acl_check_message:

# custom rule, email can only be send by local domain
deny message = Spoof detected. Illegal FROM address domain
hosts = @[]
condition = ${if or {\
{!match_domain{${domain:$rh_From:}}{+local_domains}}\
{!match_domain{$sender_address_domain}{+local_domains}}\
}{yes}{no}}

note *
you may need exclude some domain in particular case : example
if you have a hosted website that use an other compagni for email but they use there hosting service to send mailling list... it will fail with this rules because there domain is no present in the local_domains

so in this case you can do the following

# make a new withe list file
touch /etc/virtual/whitelist_senders_domains
chown mail:mail /etc/virtual/whitelist_senders_domains
chmod 644 /etc/virtual/whitelist_senders_domains

# backup your exim.conf before modification with the current date CAN style
cp /etc/exim.conf /etc/exim.conf-$(date '+%Y-%m-%d')

# now you can do :
vi /etc/exim.conf
# find the "domainlist" section and add this line
domainlist whitelist_senders_domains = lsearch;/etc/virtual/whitelist_senders_domains : lsearch;/etc/virtual/domains

# OR at your own risk
sed -i -e '/domainlist use\_rbl\_domains \= lsearch\;\/etc\/virtual\/use\_rbl\_domains/a domainlist whitelist_senders_domains = lsearch;/etc/virtual/whitelist_senders_domains : lsearch;/etc/virtual/domains' /etc/exim.conf

# the point of doing this is to add both domain you add in the file /etc/virtual/whitelist_senders_domains and all the local domain tree from /etc/virtual/domains

#and so replace in the rule +local_domains by +whitelist_senders_domains

:wq and restart exim.

this should do it

 

[nobaloney]

And of course check logs over a week or so to make sure no server generated emails are affected by this rule.

Jeff

 

[handrea]

Thank you Nerigal for your reply and help, it's very appreciated.

I'm not an Exim guru but, If I understood, in exim.conf you can bind custom acl to particular email handling step. So when I write:

[FONT=Courier New]acl_smtp_data = this_is_my_acl

this_is_my_acl:
{some condition here..}[/FONT]

it means I want to define an ACL called this_is_my_acl and ask Exim to call it on step acl_smtp_data (at the end of DATA SMTP dialog).
I see in your message:

[FONT=Courier New]acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_recipient[/FONT]

But I don't know the body of acl_connect, acl_check_helo and acl_check_recipient. I'm mistaking or I need some piece more of your exim.conf?

Thank you!
Andrea

 

[Nerigal]

Thank you Nerigal for your reply and help, it's very appreciated.

I'm not an Exim guru but, If I understood, in exim.conf you can bind custom acl to particular email handling step. So when I write:

[FONT=Courier New]acl_smtp_data = this_is_my_acl

this_is_my_acl:
{some condition here..}[/FONT]

it means I want to define an ACL called this_is_my_acl and ask Exim to call it on step acl_smtp_data (at the end of DATA SMTP dialog).
I see in your message:

[FONT=Courier New]acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_recipient[/FONT]

But I don't know the body of acl_connect, acl_check_helo and acl_check_recipient. I'm mistaking or I need some piece more of your exim.conf?

Thank you!
Andrea

no, you can not do it that way....
you can not define new acl in exim.conf but define rules that have to be execute when they are triggered

the point of this is simple...
this means, for example

acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_recipient
acl_smtp_data = acl_check_message

rules of acl_smtp_data are not defined in the begin acl section because of the

acl_smtp_data = acl_check_message

so exim still trigger acl_smtp_data but execute the same rules set as the acl_check_message
and if you look in the exim.conf acl_check_message has definition in the conf file
and for the purpose of this custom rule we need exim to trigger it in the acl_check_message

happy this help

and yes jlasman is right take a close look at exim log to make sure you dont have problem.

 

[handrea]

Sorry Nerigal,
perhaps I'm misunderstanding something or we're saying the same thing. I was calling "acl" that you call "rules".

Let's considering an example:

acl_smtp_connect = acl_connect

This means that when acl_smtp_connect acl is triggered, we ask to exim to execute rule acl_connect. Is it correct?
If it's correct, my previous question was related to the fact you pasted only the acl_check_message rule body but we don't know anythink about acl_connect, acl_check_helo and acl_check_recipiend.

Your code is not working on my exim installation so I supposed the root cause was some missing piece.

Thank you!