Mailing List Archive: exim: users

acl question

1 2

View All

Index | Next | Previous | View Threaded

jeff at cetlink

Dec 6, 2002, 8:07 AM

Post #1 of 29 (3017 views)
Permalink

acl question

In exim 4.10, it is possible to do something like this?

deny sender_domains = aol.com
message = X-Forgery: NOT AN AOL MAILER ($h_X-Mailer)
condition = ${if match {$h_X-Mailer:}{.*[Aa][Oo][Ll].*} {no}{yes}}

I'd like to somehow harvest the X-Mailer in these messages.

Thanks,
Jeff

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002

eximlists at humph

Dec 6, 2002, 8:25 AM

Post #2 of 29 (2976 views)
Permalink

Re: acl question [In reply to]

At 10:07 -0500 2002/12/06, Jeffrey Wheat wrote:
>In exim 4.10, it is possible to do something like this?
>
>deny sender_domains = aol.com
> message = X-Forgery: NOT AN AOL MAILER ($h_X-Mailer)
> condition = ${if match
>{$h_X-Mailer:}{.*[Aa][Oo][Ll].*} {no}{yes}}
>
>I'd like to somehow harvest the X-Mailer in these messages.
>

since this can only be done after the DATA phase, why not instead
check that the server is indeed in the aol domain? This can be done
in the RCPT phase and is thus more effective (in my humble opinion).

I am personally thinking of doing this check as default and only
spare addresses and domains that I know to be good (but I have just a
few users). There are many variations on this, but I would not
publicise them excessively, to be on the safe side. One check to be
done is certainly for senders that claim to be in your own domain, a
quite popular spammers' device.

Giuliano
--
H U M P H
|| |||
software

Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/

timothy.arnold at becta

Jan 23, 2003, 4:46 AM

Post #3 of 29 (2983 views)
Permalink

RE: Acl question [In reply to]

Sorry - I should have said more. With the below ACL it still allows anyone
to send to the server. Is this the right place to put it in ACL?

Is my mail sending fixed? Damn Outlook (feel free to recommend something
else!).

Thanks,
Tim.

-----Original Message-----
From: Nico Erfurth [mailto:masta [at] perlgolf]
Sent: 23 January 2003 11:27
To: Timothy Arnold
Cc: 'exim-users [at] exim'
Subject: Re: [Exim] Acl question

<rants>
1.) please don't send multipart messages to the list
2.) Please don't create 4 newlines, if one would be more than enough
</rants>

Timothy Arnold wrote:
> Hiya,
>
> I have a ACL question. I am trying to configure our mailing list
> server to only accept mail from localhost & our primary mailserver.
>
> I have a line in my acl
>
> Accept hosts = 127.0.0.1 : ip-of-primary
>
> But it doesn't seam to work ...

What doesn't work?
try exim -d -bh ip-of-your-primary

This will create a "fake"-smtp session from your primary-mx, and shows you
why it fails. If you don't understand the output, please post the
relevant parts here, including your acl-config.

Nico

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

masta at perlgolf

Jan 23, 2003, 4:48 AM

Post #4 of 29 (2979 views)
Permalink

Re: Acl question [In reply to]

Timothy Arnold wrote:
> Sorry - I should have said more. With the below ACL it still allows anyone
> to send to the server. Is this the right place to put it in ACL?

Maybe you should show your complete ACL? Sorry, but I don't have access
to your server, so I can't check it myself ;)

> Is my mail sending fixed? Damn Outlook (feel free to recommend something
> else!).

Looks better now. I prefer Mozilla and pine myself.

Nico

jpb at greencathedral

Jan 23, 2003, 4:52 AM

Post #5 of 29 (2989 views)
Permalink

Re: Acl question [In reply to]

Timothy Arnold wrote:
> Sorry - I should have said more. With the below ACL it still allows
> anyone to send to the server.

Well, yes... You've told it to accept from those hosts. Have you told
it to deny from anywhere else ?
John

timothy.arnold at becta

Jan 23, 2003, 4:53 AM

Post #6 of 29 (2972 views)
Permalink

RE: Acl question [In reply to]

Please correct me if I am wrong but I thought that if you had "accept hosts
= : " meant it would be accepted from anyone, and if you changed this value,
it would only accept mail from the hosts listed

Tim.

-----Original Message-----
From: John Burnham [mailto:jpb [at] greencathedral]
Sent: 23 January 2003 11:52
To: Timothy Arnold
Cc: 'Exim-Users (E-mail)'
Subject: Re: [Exim] Acl question

Timothy Arnold wrote:
> Sorry - I should have said more. With the below ACL it still allows
> anyone to send to the server.

Well, yes... You've told it to accept from those hosts. Have you told it to
deny from anywhere else ? John

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

timothy.arnold at becta

Jan 23, 2003, 4:56 AM

Post #7 of 29 (2996 views)
Permalink

RE: Acl question [In reply to]

Here is the Acl - it is bog standard except for hosts allow.

acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = 127.0.0.1 : 193.63.51.46

# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.

# Also deny if the local part starts with a dot. Empty components aren't
# strictly legal in RFC 2822, but Exim allows them because this is common.
# However, actually starting with a dot may cause trouble if the local
part
# is used as a file name (e.g. for a mailing list).

deny local_parts = ^.*[@%!/|] : ^\\.

# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

accept local_parts = postmaster
domains = +local_domains

# Deny unless the sender address can be verified.

require verify = sender

############################################################################
#
# There are no checks on DNS "black" lists because the domains that
contain
# these lists are changing all the time. However, here are two examples of
# how you could get Exim to perform a DNS black list lookup at this point.
# The first one denies, while the second just warns.
#
# deny message = rejected because $sender_host_address is in a
black
list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn message = X-Warning: $sender_host_address is in a black
list a
t $dnslist_domain
# log_message = found in $dnslist_domain
# dnslists = black.list.example

############################################################################
#

# Accept if the address is in a local domain, but only if the recipient
can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

accept domains = +local_domains
endpass
message = unknown user
verify = recipient

# Accept if the address is in a domain for which we are relaying, but
again,
# only if the recipient can be verified.

accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient

# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.

accept hosts = +relay_from_hosts

# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

deny message = relay not permitted

-----Original Message-----
From: Nico Erfurth [mailto:masta [at] perlgolf]
Sent: 23 January 2003 11:49
To: Timothy Arnold
Cc: 'Exim-Users (E-mail)'
Subject: Re: [Exim] Acl question

Timothy Arnold wrote:
> Sorry - I should have said more. With the below ACL it still allows
> anyone to send to the server. Is this the right place to put it in
> ACL?

Maybe you should show your complete ACL? Sorry, but I don't have access
to your server, so I can't check it myself ;)

> Is my mail sending fixed? Damn Outlook (feel free to recommend
> something else!).

Looks better now. I prefer Mozilla and pine myself.

Nico

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

jpb at greencathedral

Jan 23, 2003, 5:08 AM

Post #8 of 29 (2996 views)
Permalink

Re: Acl question [In reply to]

Timothy Arnold wrote:
> Please correct me if I am wrong but I thought that if you had
"accept
> hosts = : " meant it would be accepted from anyone, and if you
> changed this value, it would only accept mail from the hosts listed
>
Well, from the ACL you sent to the list:
# Accept if the address is in a local domain, but only if the
recipient can
# be verified. Otherwise deny. The "endpass" line is the border
between
# passing on to the next ACL statement (if tests above it fail) or
denying
# access (if tests below it fail).

As you can see, if an accept clause fails it then passes on to the
next clause unless you put an endpass statement in. So, even if the
accept hosts = <whatever> fails the processing passes to down the ACL
and any accepts later on that match will cause the mail to be
accepted.
John

masta at perlgolf

Jan 23, 2003, 5:08 AM

Post #9 of 29 (2979 views)
Permalink

Re: Acl question [In reply to]

Timothy Arnold wrote:
> Here is the Acl - it is bog standard except for hosts allow.
>
> acl_check_rcpt:
>
> # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
> # testing for an empty sending host field.
>
> accept hosts = 127.0.0.1 : 193.63.51.46

This is BS and will prevent you from receiving mail via commandline. You
really should leave this option to accept hosts = :
See below....

> # Accept mail to postmaster in any local domain, regardless of the source,
> # and without verifying the sender.
>
> accept local_parts = postmaster
> domains = +local_domains

Please show the domainlist local_domains.

> # Accept if the message comes from one of the hosts for which we are an
> # outgoing relay. Recipient verification is omitted here, because in many
> # cases the clients are dumb MUAs that don't cope well with SMTP error
> # responses. If you are actually relaying out from MTAs, you should
> probably
> # add recipient verification here.
>
> accept hosts = +relay_from_hosts

Your primary mx should go into hostlist relay_from_hosts, how does it
look now?

Try if this helps, you also can try to run exim -d -bh 1.1.1.1 to see
why it allows an external IP to relay through the server (do you REALLY
mean it relays?)

Nico

timothy.arnold at becta

Jan 23, 2003, 6:45 AM

Post #10 of 29 (2989 views)
Permalink

RE: Acl question [In reply to]

Here is what you requested:

domainlist local_domains = @ : lists.ngfl.gov.uk
hostlist relay_from_hosts = 127.0.0.1 : 193.63.51.0/24

I basically need to accept mail from internal people (193.63.51.64/26) but
reject any mail coming from outside.

Regards,
Tim.

-----Original Message-----
From: Nico Erfurth [mailto:masta [at] perlgolf]
Sent: 23 January 2003 12:09
To: Timothy Arnold
Cc: 'Exim-Users (E-mail)'
Subject: Re: [Exim] Acl question

Timothy Arnold wrote:
> Here is the Acl - it is bog standard except for hosts allow.
>
> acl_check_rcpt:
>
> # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this
by
> # testing for an empty sending host field.
>
> accept hosts = 127.0.0.1 : 193.63.51.46

This is BS and will prevent you from receiving mail via commandline. You
really should leave this option to accept hosts = :
See below....

> # Accept mail to postmaster in any local domain, regardless of the
source,
> # and without verifying the sender.
>
> accept local_parts = postmaster
> domains = +local_domains

Please show the domainlist local_domains.

> # Accept if the message comes from one of the hosts for which we are an
> # outgoing relay. Recipient verification is omitted here, because in
many
> # cases the clients are dumb MUAs that don't cope well with SMTP error
> # responses. If you are actually relaying out from MTAs, you should
> probably
> # add recipient verification here.
>
> accept hosts = +relay_from_hosts

Your primary mx should go into hostlist relay_from_hosts, how does it
look now?

Try if this helps, you also can try to run exim -d -bh 1.1.1.1 to see
why it allows an external IP to relay through the server (do you REALLY
mean it relays?)

Nico

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

masta at perlgolf

Jan 23, 2003, 6:53 AM

Post #11 of 29 (2981 views)
Permalink

Re: Acl question [In reply to]

Timothy Arnold wrote:
> Here is what you requested:
>
> domainlist local_domains = @ : lists.ngfl.gov.uk
> hostlist relay_from_hosts = 127.0.0.1 : 193.63.51.0/24
>
> I basically need to accept mail from internal people (193.63.51.64/26) but
> reject any mail coming from outside.

So it would be MOSTLY enough to use this.

rcpt_acl:
accept hosts = :+relay_from_hosts
deny message = relaying forbidden

You can also do this in an earlier stage, but some MTAs/MUAs have
problems with rejecting mails before RCPT TO:

Nico

bob at db

Jul 25, 2005, 6:42 PM

Post #12 of 29 (2977 views)
Permalink

Re: ACL Question [In reply to]

Timothy Spear wrote:
> In the ACL I am performing ClamAV and SBL-XBL checks from
> Spamhaus. I would like to disable these checks when the email is generated
> internally.

Why do you want to disable ClamAV checks of internally generated e-mail?
That's the one check my users are not allowed to disable, neither for
incoming nor outgoing messages...

Bob

tspear at tangiblesoftware

Jul 25, 2005, 7:02 PM

Post #13 of 29 (2980 views)
Permalink

RE: ACL Question [In reply to]

Well, I will leave the ClamAV in. That was an example. It is mostly my DNS
and Spam type checks which chew up additional time that I want to disable.

Tim

-----Original Message-----
From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
Behalf Of Bob Johannessen
Sent: Monday, July 25, 2005 9:42 PM
To: exim-users [at] exim
Subject: Re: [exim] ACL Question

Timothy Spear wrote:
> In the ACL I am performing ClamAV and SBL-XBL checks from
> Spamhaus. I would like to disable these checks when the email is generated
> internally.

Why do you want to disable ClamAV checks of internally generated e-mail?
That's the one check my users are not allowed to disable, neither for
incoming nor outgoing messages...

Bob

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

HerbM at learnquick

Jul 25, 2005, 7:14 PM

Post #14 of 29 (2981 views)
Permalink

RE: ACL Question [In reply to]

> [mailto:exim-users-bounces [at] exim] On Behalf Of Timothy Spear
> In the ACL I am performing ClamAV and SBL-XBL
> checks from Spamhaus. I would like to disable these checks
> when the email is generated internally.

I use "accept"s that precede the ACL deny.

Accept on local addresses and perhaps on Authenticated.

#In my data acl:

accept authenticated = *

# precedes my malware, spam, and RBL checks:

deny message = This message contains malware ($malware_name)
malware = */defer_ok

# etc etc etc.

You could also use further qualifiers in the deny stanza
to check for !authenticated and !local_address.

Herb Martin, MCT, MCSD, MCSE, MVP
HerbM [at] LearnQuick http://LearnQuick.Com
512 388 7339 -or- 1 800 MCSE PRO
Accelerated MCSE in a Week Seminars

wbh at conducive

Oct 16, 2006, 7:56 AM

Post #15 of 29 (2964 views)
Permalink

Re: ACL Question [In reply to]

Mike wrote:

> Would it be better to do HELO checks in acl_smtp_helo, sender checks in
> acl_smtp_mail, setting a variable in each check indicating pass/fail for
> rejection later in the acl_smtp_rcpt check per-recipient (thus only doing
> the check once), or with various caching, is it just as well to put all
> HELO/MAIL checks in the rcpt acl?

'Depends on the situation'.

If you are for-sure going to reject on, for example rDNS fail, (draconian, but
damned effective) then do so in CONNECT and save time and resources.

Likewise any other 'hard' fail, such as HELO-as-our-server (but not, necessarily
HELO by IP, lest you block chron-job reports, etc.).

To the extent individual users or virtual-host whole-domain clients want
different settings, you need to defer action until at least the preferences are
available, i.e acl_smtp_rcpt.

We then action the DNS/RFC stuff in PREDATA, MIME & AV in the first part of DATA
where we have at least a chance of rejecting while the connection is still
'live', resource-greedy SA only in the last part of DATA, where there is a
chance that a peer MTA will motor off on its own errands if/as/when SA gets its
knickers in a knot.

If/as/when that happens we blackhole any bad news - NOT send bounces.
'Real MTA', absent a '250 OK' should come back later and try again.

A few things, such as archiving/not and selective delivery to custom
folders/not, are branched within the router/transport sets.

We are now using all but a few of the new acl_c/m(0-19), have only a handful
'spare', but with care as to overloading, were able to do the same with the
original ten variables.

Active manua and automatic 'whitelisting' and 'VIP' listing, plus willingness to
deeply research 'false positives' are *imperative* if you run tight rulesets.
But far nicer work to track down the odd 'false' postive and help get it
corrected, than to deal with mindless spam aimed at the IQ of the average US or
UK voter...
;-)

PLAN AND DOCUMENT your use of varables right in your own 'configure' file,
likewise what you *believe* an acl clause is to accomplish, ELSE your soft
tissues get caught in the machinery as little as ten keystrokes later...

HTH,

Bill

==
#### NOTES ####
# Exim 4.63 configure for hk3 15 OCT 2006 WB Hacker
# Per-user settings for DNS, RFC, MIME, as well as Spam
# wbh [at] conducive bill [at] triligon
#
## Document our use of per-connection variables.
## *FORCE* all those used for BOOLE, and NUMBERS to "0" at start of CONNECT
## null /= 0 in Exim, so comparisons may fail otherwise.
#
# acl_c0 NUM CRITICAL! AUTH/preferred client weight when non-zero value
# acl_c1 NUM CRITICAL! 'free pass' VIP & whitelist weight when non-zero value
# acl_c2 reserved
# acl_c3 STR concatenated client ID info to build log & message strings
# acl_c4 NUM used in acl_m4 for pg_quarantine t/f BOOLEAN flag
# acl_c5 NUM RUDEBUGGER cumulative mime/format/attachment demerits.
# acl_c6 NUM reserved for 'm' use - user rfc strictness pref from SQL DB call.
...
etc..

and the coding in the DB:
.
.
# acl_m17 NUM HELO match test result flag
# acl_m18 reserved
# acl_m19 re-usable trigger for SQL call & return

# pg_rfc codes:
#
# 5 = also require safe attachments
# 4 = also require proper headers
# 3 = also require proper format
# 1 = must satisfy rDNS check
# 0 = allow fail all RFC tests except basic handshake completion
#
# pg_bl codes:
#
# 5 = must also have HELO match
# 4 = must also pass Other RBL tests
# 3 = must also pass DYN RBL tests
# 2 = must also pass local blacklist tests
# 1 = must pass local brownlist tests
# 0 = allow fail all tests
#
# pg_rudelimit. Integer. Put into acl_m6
...

===

PS - we do a number of SQL reads (SELECT..) and writes (INSERT/UPDATE) as well.

OTOH, we have yet to need a 'system filter' or manualroute router, and the only
custom (ONE line added!) pipe transport needed to date is for driving
virtual-hosting mailing lists (Ecartis).

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

peter at bowyer

Oct 16, 2006, 8:04 AM

Post #16 of 29 (2984 views)
Permalink

Re: ACL Question [In reply to]

On 16/10/06, Mike <cbrmike [at] gmail> wrote:
> Would it be better to do HELO checks in acl_smtp_helo, sender checks in
> acl_smtp_mail, setting a variable in each check indicating pass/fail for
> rejection later in the acl_smtp_rcpt check per-recipient (thus only doing
> the check once), or with various caching, is it just as well to put all
> HELO/MAIL checks in the rcpt acl?

As a general rule: collect data points as soon as they're available,
and implement defensive tactics as soon as you're sure you need them.

So.. this might mean setting a (or some) flags based on HELO
verification, rejecting based on gross transgressions, but use the
flags later in the RCPT acl for finer granularity.

You might want/need to accept mail to postmaster and/or abuse
addresses from most/all clients, for example. Apocryphally, some MTAs
and some spamware are known to misbehave when 5xx'd at HELO time,
could be best to save up the 'deny' until the RCPTs.

Peter

--
Peter Bowyer
Email: peter [at] bowyer

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

lists at seattleserver

Oct 16, 2006, 8:43 AM

Post #17 of 29 (2973 views)
Permalink

Re: ACL Question [In reply to]

On Monday 16 October 2006 05:46, Mike wrote:
> Would it be better to do HELO checks in acl_smtp_helo, sender checks in
> acl_smtp_mail, setting a variable in each check indicating pass/fail for
> rejection later in the acl_smtp_rcpt check per-recipient (thus only doing
> the check once), or with various caching, is it just as well to put all
> HELO/MAIL checks in the rcpt acl?

The former. This gives you (among other abilities I'm sure I'm overlooking)
the ability to implement delays prior to RCPT and record statistics that
would otherwise be lost if the sending host disconnects prior to RCPT.

--
SeattleServer.com Mailing Lists - Casey Allen Shobe
lists [at] seattleserver - http://seattleserver.com

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

exim-users-20080324 at djce

Jun 7, 2008, 2:18 PM

Post #18 of 29 (2321 views)
Permalink

Re: ACL question [In reply to]

On Sun, Jun 08, 2008 at 02:49:52AM +1000, Farhan Ahmed wrote:
> Hello Guys,
>
> I am scratching my heads over 3 days and couldnt find answer yet. So, you
> guys are my last hope now. We are running exim , IMAP and mysql on one
> box. I must have to accept
>
> local_domains and local_hosts in ACL. But still anyone can send email to my
> domain users via telnet 25 other than relay. How can I solve this issue.

OK, now the configuration snippet is actually readable, that helps.

But it looks fine to me - abc.com is in +local_domains, and an external client
can send mail to abc.com - that's as it should be.

So what problem do you think needs to be fixed?

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey

Attachments:

signature.asc (0.18 KB)

iane at sussex

Jun 9, 2008, 4:20 AM

Post #19 of 29 (2275 views)
Permalink

Re: ACL question [In reply to]

--On 8 June 2008 02:49:52 +1000 Farhan Ahmed <ahmed.farhan [at] gmail> wrote:

> Hello Guys,
>
> I am scratching my heads over 3 days and couldnt find answer yet. So, you
> guys are my last hope now. We are running exim , IMAP and mysql on one
> box. I must have to accept
>
> local_domains and local_hosts in ACL. But still anyone can send email to
> my domain users via telnet 25 other than relay. How can I solve this
> issue.
>
> My configuration is as....
<snip>
> so, I can write script that can generate fair enough spams. How can we
> overcome on this? Any help would be appreciated.
>

It seems that you think it is a problem if people can connect to your
machine on port 25 and send email to your users. That's how SMTP works. If
you don't allow it, then you can't get email delivered to you from the
Internet.

If you don't want to accept email from the Internet, then delete everything
except:

acl_check_rcpt:

accept hosts = :

accept hosts = +relay_from_hosts

accept authenticated = *

deny message = relay not permitted

If you want to accept email from the Internet, but not spam, then you have
to use a variety of anti-spam techniques. None of them are perfect, and
there are too many to describe here.

--
Ian Eiloart
IT Services, University of Sussex
x3148

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

steve at lobefin

Jun 9, 2008, 4:36 AM

Post #20 of 29 (2278 views)
Permalink

Re: ACL question [In reply to]

On Sun, Jun 08, 2008 at 02:49:52AM +1000, Farhan Ahmed said:
> Hello Guys,
>
> I am scratching my heads over 3 days and couldnt find answer yet. So, you
> guys are my last hope now. We are running exim , IMAP and mysql on one
> box. I must have to accept
>
> local_domains and local_hosts in ACL. But still anyone can send email to my
> domain users via telnet 25 other than relay. How can I solve this issue.

As others have pointed out, this is how internet mail works. But I see
a perhaps unspoken assumption in your email that all email comes from a
particular relay machine? If so, either firewall port 25 to only allow
access from that machine, or (better) do that and add something like:

deny !hosts = : 127.0.0.1 : +relay_hosts : +inbound_relay

before any of the accepts. This can even go earlier than the rcpt time
checking if you like - acl_smtp_connect would be fine.
--
--------------------------------------------------------------------------
| Stephen Gran | Research is to see what everybody else |
| steve [at] lobefin | has seen, and think what nobody else |
| http://www.lobefin.net/~steve | has thought. |
--------------------------------------------------------------------------

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

farhhanahmed at hotmail

Jun 9, 2008, 5:01 AM

Post #21 of 29 (2275 views)
Permalink

Re: ACL question [In reply to]

Hello,

Thanks for all suggestions.I have fixed the issue now. Actually we have mailfilter sendmail,spamassassin,fprot,grey-list and then sendmail

relays filtered email to exim,mysql box and issue was here. I just fixed it.

Thanks all for your timely support

--
Regards,
Farhan Ahmed
> Date: Mon, 9 Jun 2008 12:36:05 +0100> From: steve [at] lobefin> To: exim-users [at] exim> Subject: Re: [exim] ACL question> > On Sun, Jun 08, 2008 at 02:49:52AM +1000, Farhan Ahmed said:> > Hello Guys,> > > > I am scratching my heads over 3 days and couldnt find answer yet. So, you> > guys are my last hope now. We are running exim , IMAP and mysql on one> > box. I must have to accept> > > > local_domains and local_hosts in ACL. But still anyone can send email to my> > domain users via telnet 25 other than relay. How can I solve this issue.> > As others have pointed out, this is how internet mail works. But I see> a perhaps unspoken assumption in your email that all email comes from a> particular relay machine? If so, either firewall port 25 to only allow> access from that machine, or (better) do that and add something like:> > deny !hosts = : 127.0.0.1 : +relay_hosts : +inbound_relay> > before any of the accepts. This can even go earlier than the rcpt time> checking if you like - acl_smtp_connect would be fine.> -- > --------------------------------------------------------------------------> | Stephen Gran | Research is to see what everybody else |> | steve [at] lobefin | has seen, and think what nobody else |> | http://www.lobefin.net/~steve | has thought. |> --------------------------------------------------------------------------> > -- > ## List details at http://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/> ## Please use the Wiki with this list - http://wiki.exim.org/
_________________________________________________________________
Search for local singles online @ Lavalife - Click here
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D30290&_t=764581033&_r=email_taglines_Search_OCT07&_m=EXT
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

dean at iglou

Nov 19, 2009, 7:55 AM

Post #22 of 29 (1801 views)
Permalink

Re: ACL Question [In reply to]

On Thu, Nov 19, 2009 at 03:10:19PM +0000, Bryn Jones wrote:
> On 19 Nov 2009, at 14:23, Joe Doehler <joe [at] doehler> wrote:
>
> > Andrew wrote:
> >>> Minor point - shouldn't that be 192.168.0.0/16 or 192.168.1.0/24
> >>> or even
> >>> 192.0.0.0/8.
> >>>
> >
> > Thanks to all who have answered. The suggestions solved my problem.
> > FYI,
> > this is a small network that's content with 256 IP addresses.
>
> If it's supposed to be a 255.255.255.0, you want 192.168.1.0/24. /8 is
> the same as 255.0.0.0, or 2^24-2 hosts.

That and 192.0.0.0/8 contains millions of legitimate routable hosts.

Only 192.168.x.x addresses (192.168.0.0/16) can be used for private
space without adverse affects. Everything else is legitimate routable
space.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

phil at medwayhosting

Nov 19, 2009, 8:17 AM

Post #23 of 29 (1797 views)
Permalink

Re: ACL Question [In reply to]

----- Original Message -----
From: "Dean Brooks" <dean [at] iglou>
To: <exim-users [at] exim>
Sent: Thursday, November 19, 2009 3:55 PM
Subject: Re: [exim] ACL Question

> Only 192.168.x.x addresses (192.168.0.0/16) can be used for private
> space without adverse affects. Everything else is legitimate routable
> space.

Not quite:
10.0.0.0/8 & 172.16.0.0/12 are private address space too I believe.

All the best

Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

fh-exim2003 at LF

Nov 19, 2009, 9:15 AM

Post #24 of 29 (1802 views)
Permalink

Re: ACL Question [In reply to]

On Thu, Nov 19, 2009 at 04:17:39PM -0000, Phil (Medway Hosting) wrote:
>
> ----- Original Message -----
> From: "Dean Brooks" <dean [at] iglou>
> To: <exim-users [at] exim>
> Sent: Thursday, November 19, 2009 3:55 PM
> Subject: Re: [exim] ACL Question
>
>
> > Only 192.168.x.x addresses (192.168.0.0/16) can be used for private
> > space without adverse affects. Everything else is legitimate routable
> > space.
>
> Not quite:
> 10.0.0.0/8 & 172.16.0.0/12 are private address space too I believe.

see RFC 3330 Special-Use IPv4 Addresses

--
Regards

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

dean at iglou

Nov 19, 2009, 10:50 AM

Post #25 of 29 (1799 views)
Permalink

Re: ACL Question [In reply to]

On Thu, Nov 19, 2009 at 06:15:46PM +0100, Frank Heydlauf wrote:
> On Thu, Nov 19, 2009 at 04:17:39PM -0000, Phil (Medway Hosting) wrote:
> >
> > ----- Original Message -----
> > From: "Dean Brooks" <dean [at] iglou>
> > To: <exim-users [at] exim>
> > Sent: Thursday, November 19, 2009 3:55 PM
> > Subject: Re: [exim] ACL Question
> >
> >
> > > Only 192.168.x.x addresses (192.168.0.0/16) can be used for private
> > > space without adverse affects. Everything else is legitimate routable
> > > space.
> >
> > Not quite:
> > 10.0.0.0/8 & 172.16.0.0/12 are private address space too I believe.
>
> see RFC 3330 Special-Use IPv4 Addresses

Well, I meant within the 192 space specifically. I've seen a lot
of cases where people blocked 192.0.0.0/8 thinking they were being
thorough, when in fact they were blocking a large number of legitimate
sites.

It hits home in our case since one of our core networks is in 192.107
space. Every now and then we get someone who can't reach our network,
and it's usually the same thing - an overzealous firewall admin who
entered in incorrect information.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads