Turn off open relay to local users..

H

hky123

Verified User
Joined
Apr 14, 2007
Messages
18
Location
Pune
Hello,
I am using DA on several mail server's. Now the problem is if you monitored exim, then if any local user on exim server use to send a mail to any other local users on the same server then he doesn't require authentication to send that mail, since both the domain's i.e sender and reciver is there in /etc/virtual/domains file. Now i want these local users also need to be authenticated first and then only be able to send a mail.

Can any one please let me know how should i turn off this open relay to local users without authentication.?

Regards,
Harshal.
 
Search this line in your /etc/exim.conf file...
Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
...and remove " : 127.0.0.1" from it.

I suggest you don't do this, because it will require any local SMTP script/application (PHP, directadmin itself and anything else sending emails) to use SMTP authentication or /usr/sbin/sendmail instead.
If any software happens to have only unauthenticated SMTP delivery, you are stuck.

If you are willing to test it out and check the logs to see what's blocked and what software needs alternative setting, please write it down and report here so that everyone knows.

EDIT: what I just described is closing relay for localhost unless authenticated, but what you asked is also to require authentication for non-relay delivery (local domain to local domain). This won't work, because the SMTP protocol requires any delivery to local domains to be open.
If you want to have local domain to local domain on localhost authenticated, you will have to modify a lot exim.conf and probably go off-RFC.
Relay means external domain to external domain, or local domain to external domain (i.e. external delivery).
 
Last edited:
you are saying it will be against rfc standards.. but the problem we are facing that we have recently recieved bulk of spam mails in which spammer have used our local users to send the spam mails. means in those mails from id and recipient id were the same means the users of our server.

So any spammer who has some knowledge of exim MTA can send bulk of spam mails using our server and will send the spam to local users on the server provided he has email id's and outgoing smtp server to be used.

So any one having a thought on it?

Regards,
Harshal.
 
There are two possibilities for spam then goes to a local domain from a (spoofed) local domain:

- it comes from an external source through SMTP; solution: using SPF and Spamassassin, your server will know that the email doesn't come from the correct SMTP server and will flag it as spam (that you can delete automatically); you could block SMTP delivery on a external address from local domain to local domain, but that brings up different problems (and, again, is not RFC)

- it comes from an local script or application using local SMTP or sendmail, probably an injection vulnerability in a PHP script; solution: find the guilty script and fix it

To know if it's the first or second case just watch the email headers and see if the message started from your SMTP server or someone else's.

From your first post I thought you were trying to block emails from a legit user on a local domain, not generic spam from spoofed local domain.
If you want help it's always better describe your problem in every detail instead of asking how to do something in particular to achieve what you think it's best to solve the problem. It almost never is :)

Now that I know that you are trying to stop spam, may I suggest searching on this forum about "greylist". It's a great method to stop 90-95% (from my stats) of the spam, will work perfectly in the first case.
 
Last edited:
Another way it could happen is if you're using SpamBlocker and you've added local domains to the /etc/virtual/whitelist_domains files. You should NOT add local domains to the /etc/virtual/whitelist_domains file.

Jeff
 
You should add comments to the top of all the whitelist and blacklist files so we know what should or should not be in them.
 
I don't know if the files allow comments (in other words, if they know how to skip them).

Find out for me and let me know :) and I'll do that in my next release.

Jeff
 
reply

I try this metod and do not function in exim4

tillo said:
Search this line in your /etc/exim.conf file...
Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
...and remove " : 127.0.0.1" from it.

I suggest you don't do this, because it will require any local SMTP script/application (PHP, directadmin itself and anything else sending emails) to use SMTP authentication or /usr/sbin/sendmail instead.
If any software happens to have only unauthenticated SMTP delivery, you are stuck.

If you are willing to test it out and check the logs to see what's blocked and what software needs alternative setting, please write it down and report here so that everyone knows.

EDIT: what I just described is closing relay for localhost unless authenticated, but what you asked is also to require authentication for non-relay delivery (local domain to local domain). This won't work, because the SMTP protocol requires any delivery to local domains to be open.
If you want to have local domain to local domain on localhost authenticated, you will have to modify a lot exim.conf and probably go off-RFC.
Relay means external domain to external domain, or local domain to external domain (i.e. external delivery).
Click to expand...
 
zEitEr said:
What exactly does not work? What exact error text do you see there?
Click to expand...
If you're referring to the original post by the original poster, my understanding is that he's found that anyone who has an account on the local server can send email (including spam) to anyone else on that server, without logging in. He's calling that an open relay and doesn't want his local users to be able to send email to other local users without authenticating first.

He calls that relaying but it's not, it's local delivery. I've explained several times in several threads over the past few days that it's not relaying and there's no way to stop any user, local or not, to send email to his server without authenticating, because he probably wants his local users to be able to get email, and if he blocks unauthenticated users then no one on his server will be able to get email from anyone.

Thinking about it, I suppose there could be a way to block email from domains on the server to send email to any email address on the server, but the only way I see to do that is by domain name, and then a local user who uses an external email server for some reason (for example when using external reseller accounts for domain registration and the like) could never send email back to anyone using the server.

While it may be possible, there's no way I'm going to implement it, since it can easily block wanted email. You can try if you want :).

Note I've started closing threads on this topic and probably will continue to do so; they're wasting a lot of time for a lot of forum members.

Jeff
 
You must log in or register to reply here.
Back
Top