using SMTP_VRFY through exim?

N

nikdahl

Verified User
Joined
Mar 14, 2005
Messages
65
Location
Seattle, WA, USA
Hey guys,

we use this spam filter called ModusGate (pretty good product. very efficient at cutting down the spam, but could use more logging/search features, and allow more customization).

The problem is, that it uses a per user license. So for this reason, I need to have it verify that the addresses it is receiving mail for are verified with the DA server prior to creating an account on the ModusGate server for the address. It can use SMTP or SMTP_VRFY. Right now, I have a domain setup using SMTP_VRFY, and it is creating accounts for all incoming emails.. which means that all the dictionary attacks that spammers use are using up user licenses.

In any case, I was hoping one of you guys could help me set this up. The ModusGate documentation has the following to say on the subject. The specific mention of Exim leads me to believe that I'll be needed to play around with the ACLs in exim.conf. Lasman wrote that conf, so maybe he can chime in.


http://kb.vircom.com/Kbase/print.asp?id=1263&Lang=1&SID=
Product: ModusGate

Version & Build: All

ModusGate can be configured to work with most Unix-based and Windows MTA servers. This is achieved by using the forward lookup option (Automatically populate user list) found in the Console, under Connection - Properties - General. This setting establishes the type of communication that will be used between ModusGate and the mail and/or authentication server to determine if the recipient address exists on the local system or not:

  • If the response from the mail/authentication server is an invalid mailbox type error, Modus rejects the message and bounces it back to the sending server with a delivery failure report, thus providing security for your mail server and reducing its load at the same time.
  • If the address does exist, Modus accepts the message for processing and sends it to the mail server for local delivery (assuming it's not quarantined or deleted because of content, based on ModusGate's settings)
  • If there is no specific invalid mailbox response from the mail server, the address is assumed to be good and is accepted and processed by Modus

This latter behavior often occurs when using a simple SMTP connection for the forward lookup and it depends entirely on how the mail server itself handles invalid addresses. The downside to this behavior is that mailboxes for invalid names automatically created on the ModusGate server and counted towards your licensed user limit.

To prevent this from happening, it is recommended that you use one of the other selections such as SMTP_VRFY or OpenLDAP, if your server and/or network configuration supports the use of these options. For example, most mail servers do not natively support SMTP_VRFY but some can be tweaked to accept it (e.g. by making a change in the Registry). To find out of your mail server can use this option, please consult your product manual and/or website for configuration details. NOTE: For information about Exim server configuration, go to http://www.exim.org/

The following is a list of available forward lookup or authentication options. The one you should use depends on what your mail server is able to support:

SMTP: This provides no authentication (see above). It simply allows a straight SMTP connection between ModusGate and the mail server and relies on the mail server itself to reject messages sent to invalid addresses. Use this setting only if the mail server does not support one of the other authentication options. Otherwise, consider using Disabled (see below).

SMTP_VRFY: Use this setting only if the mail server supports it (possibly by making a change in the Registry - consult your mail server documentation for configuration details)

Exchange 2000+: Can only be used with Exchange 2000, 2003 servers

Exchange 5.5: Can only be used with Exchange 5.5 servers

Lotus Domino: Can only be used with Lotus servers

Open LDAP: This is the recommended method for most mail servers that support LDAP (excluding Exchange and Lotus)

Disabled: This can be used if one of the above settings is not a viable option and if the SMTP connection does not provide enough security for your system. This setting turns off the automatic mailbox creation and requires that you manually enter the valid user names in the Users panel of the ModusGate Console. While it requires more work to set up, it offers protection from abuse for both the ModusGate and the mail server by limiting the permitted mail to only the addresses specified.
Click to expand...
 
Good sysadmins don't recommending allowing smtp_vrfy because spammers can use it to easily create lists of good email addresses on your server by simply using a dictionary attack with smtp_vrfy.

From documentation found here:
When Exim receives a VRFY or EXPN command on a TCP/IP connection, it runs the ACL specified by acl_smtp_vrfy or acl_smtp_expn (as appropriate) in order to decide whether the command should be accepted or not. If no ACL is defined, the command is rejected.

When VRFY is accepted, it runs exactly the same code as when Exim is called with the -bv option.
Click to expand...

So it appears you can write your own to allow it based on the IP# of your query.

Jeff
 
I guess the problem is that I don't know how to create an ACL.

The exim.conf you create has an ACL section to check recipient. Do I need to add a new "begin acl"?
Code: 
begin acl
vrfy_acl:
accept hosts = /etc/smtpvrfy.hosts

Then assuming the smtpvrfy.hosts reads like a a regular hosts list, I would just need to add the acl_smtp_vrfy = vrfy_acl ....right?
 
You must log in or register to reply here.
Back
Top