Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Preventing Authenticated Users From Sending As Other Accounts

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


bradm2k at ymail

Oct 21, 2009, 2:14 PM

Post #1 of 9 (1155 views)
Permalink
Preventing Authenticated Users From Sending As Other Accounts
Hi there,

I ran across a scenario on my new exim setup and am hoping someone can point me in the right direction as I am very new to Exim.

Currently, I have Exim 4.69 installed on a FreeBSD 6.4 AMD64 machine with MySQL which is now deployed and running stable. We have disabled relaying and require users to connect via SSL to authenticate for both sending and recieving email.

I have been running some tests and discovered that local authenticated users are able to send email as any address they wish, including other local users. This poses a security concern for my clients and was hoping to plug this hole.

Is there a way of limiting authenticated users to only send email for their authenticated account?

Thanks!



__________________________________________________________________
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users-20081202 at djce

Oct 22, 2009, 12:54 AM

Post #2 of 9 (1107 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
On Wed, Oct 21, 2009 at 02:14:11PM -0700, Brad Melanson wrote:
> Hi there,
>
> I ran across a scenario on my new exim setup and am hoping someone can point me in the right direction as I am very new to Exim.
>
> Currently, I have Exim 4.69 installed on a FreeBSD 6.4 AMD64 machine with MySQL which is now deployed and running stable. We have disabled relaying and require users to connect via SSL to authenticate for both sending and recieving email.
>
> I have been running some tests and discovered that local authenticated users are able to send email as any address they wish, including other local users. This poses a security concern for my clients and was hoping to plug this hole.
>
> Is there a way of limiting authenticated users to only send email for their authenticated account?

As long as you can define what "only send email for their authenticated
account" means in terms of SMTP, then yes.

Obvious possiblities include restricting the MAIL FROM address, and/or
restricting the "From" header. For the former, you'd use an ACL in
acl_smtp_mail; for the latter, an ACL in acl_data. Either way you'd
presumably want to use $authenticated_id as part of the logic.

Whether or not it's a good idea, though, is an entirely separate question. It
depends what problem you're trying to solve - that your users shouldn't be
able to fool the recipients of their email? Or that if they /do/ do that,
that they should know that /you/ know that is was them that sent it?

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey
Attachments: signature.asc (0.19 KB)


david at ols

Oct 22, 2009, 1:03 AM

Post #3 of 9 (1100 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
Hi

If you always use the email address for each user as it's authentication
username then you can check at mail acl something like:

deny authenticated = *
condition = ${if eqi{$authenticated_id}{$sender_address}}
message = You are not authorized to use $sender_address

> Hi there,
>
> I ran across a scenario on my new exim setup and am hoping someone can point me in the right direction as I am very new to Exim.
>
> Currently, I have Exim 4.69 installed on a FreeBSD 6.4 AMD64 machine with MySQL which is now deployed and running stable. We have disabled relaying and require users to connect via SSL to authenticate for both sending and recieving email.
>
> I have been running some tests and discovered that local authenticated users are able to send email as any address they wish, including other local users. This poses a security concern for my clients and was hoping to plug this hole.
>
> Is there a way of limiting authenticated users to only send email for their authenticated account?
>
> Thanks!
>
>
>
> __________________________________________________________________
> Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com

--
Salu-2 y hasta pronto ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


fh-exim2003 at LF

Oct 22, 2009, 2:13 AM

Post #4 of 9 (1114 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
Hi all,

On Thu, Oct 22, 2009 at 10:03:00AM +0200, David Saez Padros wrote:
> If you always use the email address for each user as it's authentication
> username then you can check at mail acl something like:
>
> deny authenticated = *
> condition = ${if eqi{$authenticated_id}{$sender_address}}
> message = You are not authorized to use $sender_address

... and you probably will get lots of support-load since
many mail clients do not show this error message at all.
(0x800Uloose)

IMHO You'd better send a notification message to
the known (since authenticated) user.

--
Regards
Frank

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

Oct 22, 2009, 2:26 AM

Post #5 of 9 (1104 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
Hi

>> deny authenticated = *
>> condition = ${if eqi{$authenticated_id}{$sender_address}}
>> message = You are not authorized to use $sender_address
>
> ... and you probably will get lots of support-load since
> many mail clients do not show this error message at all.
> (0x800Uloose)

you will only get support requests from clients trying to forge
other users email addresses, which is the expected behaviour

--
Best regards ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


fh-exim2003 at LF

Oct 22, 2009, 3:38 AM

Post #6 of 9 (1096 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
On Thu, Oct 22, 2009 at 11:26:42AM +0200, David Saez Padros wrote:
> Hi
>
> >> deny authenticated = *
> >> condition = ${if eqi{$authenticated_id}{$sender_address}}
> >> message = You are not authorized to use $sender_address
> >
> > ... and you probably will get lots of support-load since
> > many mail clients do not show this error message at all.
> > (0x800Uloose)
>
> you will only get support requests from clients trying to forge
> other users email addresses, which is the expected behaviour

What about users testing some webservers-scripts or other
robot-jobs sending mails,
users who mistyped their From address,
users intended to send mail with forged from-address
(i.e. secretaries, bulk-mailer) ...

At the moment I reject MUA mails as well - but I'm not
happy with it and want to change this behaviour in the
next setup.

--
Greets
Frank

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


david at ols

Oct 22, 2009, 4:07 AM

Post #7 of 9 (1101 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
Hi

>>>> deny authenticated = *
>>>> condition = ${if eqi{$authenticated_id}{$sender_address}}
>>>> message = You are not authorized to use $sender_address
>>> ... and you probably will get lots of support-load since
>>> many mail clients do not show this error message at all.
>>> (0x800Uloose)
>> you will only get support requests from clients trying to forge
>> other users email addresses, which is the expected behaviour
>
> What about users testing some webservers-scripts or other
> robot-jobs sending mails,
> users who mistyped their From address,
> users intended to send mail with forged from-address
> (i.e. secretaries, bulk-mailer) ...

exim is flexible enough to cope with all those cases, you just
need to setup the appropiate acl rules

--
Best regards ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Lena at lena

Oct 22, 2009, 4:46 AM

Post #8 of 9 (1100 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
> From: Brad Melanson

> local authenticated users are able to send email as any address they wish,
> including other local users. This poses a security concern for my clients
> and was hoping to plug this hole.

Which exactly security concern?
Users who have their own domains and other email addresses hosted elsewhere
need to be able to send email with envelope-from and "From:" differing from
their authenticated id. Because not every hoster and
not every email provider offers a relay ("SMTP-server").
Instead of restriction, make Exim to specify authenticated id in the header
for investigation in case of a complaint.
For that look at "received_header_text" in
"14.23 Alphabetical list of main options" in Exim documentation.
Add in the beginning of Exim config:

received_header_text = Received: \
${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
{${if def:sender_ident \
{from ${quote_local_part:$sender_ident} }}\
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
${if def:received_protocol {with $received_protocol}} \
${if def:tls_cipher {($tls_cipher)\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address \
{(envelope-from <$sender_address>)\n\t}}\
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}\
${if def:authenticated_id {\n\t(authenticated as \
<${sg{$authenticated_id}{@}{#}}>)}}

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

Oct 22, 2009, 4:52 AM

Post #9 of 9 (1109 views)
Permalink
Re: Preventing Authenticated Users From Sending As Other Accounts [In reply to]
2009/10/22 <Lena [at] lena>:
>> From: Brad Melanson
>
>> local authenticated users are able to send email as any address they wish,
>> including other local users. This poses a security concern for my clients
>> and was hoping to plug this hole.
>
> Which exactly security concern?

Pretty obviously - an authenticated user spoofing another (possibly
authenticated) user's email. The OP has been offered a simple ACL fix
for this earlier in the thread.

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.