v.augustin at multiartstudio
May 2, 2002, 9:57 AM
Post #1 of 2
(191 views)
Permalink
|
|
my server is used as an open relay, need help
|
|
This is a multi-part message in MIME format.
--
hi out there,
i need some help with my configuration of exim 4,
i checked the internet, but now im more confused than before...
im an absolut beginner in mail... working nights on compiling exim4 and
set up a working configuration with exim4 and postgres and
courier-imap... its working now! (be very happy :))
but now my problem is... my server was ...or is still used as an open
relay, and i see the spam in the logfile... can anybody help me how to
setup acl or authentication that denies relying over my smtp-host? im
hosting some domains on it, and have some mx-entrys to a fixed ip...(i
got five ips and exim is working fine with just one of it :)
ok what i want to do is checking the sender against his helo_name
($sender_helo_name) listed in my domaintable in the postgres database...
authentication with smtp is working fine with this conditions.. but i
dont know exactly how acl works....
can anybody help me? could send me a sample acl?
that would be greatful :)
especially i got the problem that most parts of exim4-spec is using
invalid syntax... and unknown keywords (? i tried out but still errors
with most of them)
i appended my exim4-config to the mail, i will try, whis is my first
posting to the list....
...working hard ...
volker
--
#### etc/configure for exim4 #####
###make connection to postgres
hide pgsql_servers = localhost::PORT/DATABASE/USER/PASSWD
#i dont need this, i think so :), my default hostname is fine :)
#primary_hostname = tomcat.mydomain.de
####looking up my domains in a postgres database... yeah i need 5 days till i know how to do so....
domainlist local_domains = @:${lookup pgsql{SELECT domain FROM domain WHERE aktiv=1 and localdomain=0}{$value}fail}
domainlist relay_to_domains = *
hostlist relay_from_hosts = 127.0.0.1
acl_smtp_rcpt = acl_check_rcpt
###thats cool.... lol
#host_reject_connection = *
# qualify_domain =
# qualify_recipient =
# allow_domain_literals
###has no effect....:
tls_certificate = /home/Exim/etc/ca.crt
tls_privatekey = /home/Exim/etc/ca.key
tls_verify_hosts = *
###doesnt work for exim4! hmpf!!!
#tls_verify_ciphers = DES-CB3-SHA:IDEA-CBC-MD5
#auth_over_tls_hosts = *
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 30s
# sender_unqualified_hosts =
# recipient_unqualified_hosts =
# percent_hack_domains =
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
######ACL#######
begin acl
acl_check_rcpt:
####oh oh what does all this mean? i figured out some conditions ... , they are working....hmmmm, but i dont know exactly what they will really do....(???????)
# trying to verify sender and set up a condition, but relaying is still possible :((
accept hosts = :
deny local_parts = ^.*[@%!/|]
require condition = "${if and { \
{!eq{$sender_helo_name}{}} \
{!eq{$domain}{}} \
{eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
} {yes}{no}}"
accept local_parts = postmaster
domains = +local_domains
require verify = sender
# trying to verify sender and set up a condition, but relaying is still possible :((
accept domains = +local_domains
endpass
message = unknown user
verify = sender : recipient
require condition = "${if and { \
{!eq{$sender_helo_name}{}} \
{!eq{$domain}{}} \
{eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
} {yes}{no}}"
# trying to verify sender and set up a condition, but relaying is still possible :((
accept domains = +relay_to_domains
require condition = "${if and { \
{!eq{$sender_helo_name}{}} \
{!eq{$domain}{}} \
{eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
} {yes}{no}}"
# endpass
message = unrouteable address
verify = recipient : sender
#hmmmm... is this my problem , i try all my acl with auth-smtp with netscape, but in the logfiles i see a lot of relaying mails
accept authenticated = *
# trying to verify sender and set up a condition, but relaying is still possible :((
accept hosts = +relay_from_hosts
# senders = mydomain [at] anotherhostwithanothersmt\.de
# require condition = "${if and { \
# {!eq{$sender_helo_name}{}} \
# {!eq{$domain}{}} \
# {eq{$sender_helo_name}{${lookup pgsql{SELECT domain FROM domain WHERE domain='$sender_helo_name' limit 1}{$value}fail}}} \
# } {yes}{no}}"
deny message = relay not permitted
########ROUTERS########
begin routers
###the system aliases....it seems that i should not delete this section? hmmm....
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = exim
file_transport = address_file
pipe_transport = address_pipe
####disabled for now!
#userforward:
# driver = redirect
# check_local_user
# file = $home/.forward
# no_verify
# no_expn
# check_ancestor
## allow_filter
# file_transport = address_file
# pipe_transport = address_pipe
# reply_transport = address_reply
###for local-users with shell account
localuser:
driver = accept
domains = @
check_local_user
transport = local_delivery
###ok , working fine, im looking for local domains with a registered mailbox account in the database
virtual_known_local_user:
driver = accept
domains = ${lookup pgsql {select domain from domain where domain='$domain' and id=(select domain_id from account where name='$local_part' and domain_id=(select id from domain where domain='$domain' and aktiv=1 and localdomain=0)and aktiv=1 and is_alias=0) and aktiv=1 and localdomain=0}{$value}fail}
transport = virtual_delivery
###this is working fine if the rcpt is to a local domain, but not in the database now...
######this is only because im just figuring out how to manage aliases with postgres ;)
virtual_local_user:
driver = accept
domains = ${lookup pgsql {select domain from domain where domain='$domain' and aktiv=1 and localdomain=0 limit 1}{$value}fail}
transport = virtual_delivery
###i think thats ok
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
#######TRANSPORTS########
begin transports
remote_smtp:
driver = smtp
###do i need some acls here?
###what the hell is the syntax for exim 4??????
#mail for local users delivered into a maildir
local_delivery:
driver = appendfile
create_directory = true
directory_mode = 700
directory = /home/2nd/spool/Maildir/.localhost/${local_part}/
user = exim
group = $local_part
maildir_format
mode = 0660
delivery_date_add
envelope_to_add
return_path_add
virtual_delivery:
driver = appendfile
create_directory = true
directory_mode = 700
directory = /home/2nd/spool/Maildir/.virtual/${domain}/${local_part}/
user = exim
group = exim
maildir_format
mode = 0660
delivery_date_add
envelope_to_add
return_path_add
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
#no rewrites for now....
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
###this fixed plaintext-authentication is working fine with netscape :)
#plain_fixed:
# driver = plaintext
# public_name = PLAIN
# client_send = \
# "^username^password"
# server_condition = \
# ${if and {{eq{$2}{send}}{eq{$3}{mail}}}{yes}{no}}
###this postgres-based plaintext-authentication is working fine with netscape :)
db_plain_auth:
driver = plaintext
public_name = PLAIN
client_send = \
"^username^password"
server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{eq{$3}{${lookup pgsql{SELECT passwd FROM account WHERE account='$2' limit 1}{$value}fail}}} \
} {yes}{no}}"
### i didnt test the md5-section , just write it in
md5_fixed:
driver = cram_md5
public_name = CRAM-MD5
#here i am using 'send' and 'mail' as user and password ;-)
client_name = "send"
client_secret = "mail"
### i didnt test the login-section
login_fixed:
driver = plaintext
public_name = LOGIN
server_prompts = "User Name : Password"
client_send = \
"^username^password"
#here i am using 'send' and 'mail' as user and password ;-)
server_condition = \
${if and {{eq{$1}{send}}{eq{$2}{mail}}}{yes}{no}}
# End of Exim configuration file
--
|
