Discussion:
[Pkg-exim4-users] Force authentication check for every outgoing message.
Michael González Medina
2015-02-05 21:10:05 UTC
Permalink
Hi all list members, I need some help on this topic:

First off all sorry for my bad English.

I Have Exim4 running on a Debian Server. Every is working fine, I mean
that, every user from my LAN in order to send mail throught my server
must provide a user and pass[using a MUA such as Thunderbird], but.. a
few days ago I was doing a telnet testing to that server:

-------------------------------------------------------------------
***@netadmin:~$ telnet my.mail.server.ip 25
Trying my.mail.server.ip...
Connected to my.mail.server.ip.
Escape character is '^]'.
220 Servidor de correos del CNSV a su servicio...
helo net
250 mydomain.cu Hello netadmin.local [192.168.0.43]
mail from: <***@mydomain.cu>
250 OK
rcpt to: <***@mydomain.cu>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
testinggg66
.
250 OK id=1YJT0E-0001IR-Lc
---------------------------------------------------------------------

I know that accept and send mail without ask or check for
authentication is a security hole, so... I test the same on other PC
from my LAN and........... the same result.

So in order to solve this I need to force Exim authentication for every
outgoing message[even via telnet session's], this is the portion that
correspond to the acl_check_rcpt in my exim4.conf file:


----------------------------------------------------------------------------------------------------------------------------------------------
acl_smtp_rcpt = acl_check_rcpt

acl_check_rcpt:

accept authenticated = *
control = submission

accept hosts = :
control = dkim_disable_verify

deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

accept local_parts = postmaster
domains = +local_domains

require verify = sender

accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify

require message = relay not permitted
domains = +local_domains : +relay_to_domains

require verify = recipient

accept
----------------------------------------------------------------------------------------------------------------------------------------------

thank's in advance,
--
Michael González Medina
Administrador de Red
Centro Nacional de Sanidad Vegetal
Michael González Medina
2015-02-05 22:07:44 UTC
Permalink
Post by Michael González Medina
First off all sorry for my bad English.
I Have Exim4 running on a Debian Server. Every is working fine, I mean
that, every user from my LAN in order to send mail throught my server
must provide a user and pass[using a MUA such as Thunderbird], but.. a
-------------------------------------------------------------------
Trying my.mail.server.ip...
Connected to my.mail.server.ip.
Escape character is '^]'.
220 Servidor de correos del CNSV a su servicio...
helo net
250 mydomain.cu Hello netadmin.local [192.168.0.43]
250 OK
250 Accepted
data
354 Enter message, ending with "." on a line by itself
testinggg66
.
250 OK id=1YJT0E-0001IR-Lc
---------------------------------------------------------------------
I know that accept and send mail without ask or check for
authentication is a security hole, so... I test the same on other PC
from my LAN and........... the same result.
So in order to solve this I need to force Exim authentication for
every outgoing message[even via telnet session's], this is the portion
----------------------------------------------------------------------------------------------------------------------------------------------
acl_smtp_rcpt = acl_check_rcpt
accept authenticated = *
control = submission
control = dkim_disable_verify
deny message = Restricted characters in address
domains = +local_domains
deny message = Restricted characters in address
domains = !+local_domains
accept local_parts = postmaster
domains = +local_domains
require verify = sender
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
accept
----------------------------------------------------------------------------------------------------------------------------------------------
thank's in advance,
I comment the last line "accept"
--
Michael González Medina
Administrador de Red
Centro Nacional de Sanidad Vegetal
Michael González Medina
2015-02-10 19:35:50 UTC
Permalink
Post by Michael González Medina
First off all sorry for my bad English.
I Have Exim4 running on a Debian Server. Every is working fine, I mean
that, every user from my LAN in order to send mail throught my server
must provide a user and pass[using a MUA such as Thunderbird], but.. a
-------------------------------------------------------------------
Trying my.mail.server.ip...
Connected to my.mail.server.ip.
Escape character is '^]'.
220 Servidor de correos del CNSV a su servicio...
helo net
250 mydomain.cu Hello netadmin.local [192.168.0.43]
250 OK
250 Accepted
data
354 Enter message, ending with "." on a line by itself
testinggg66
.
250 OK id=1YJT0E-0001IR-Lc
---------------------------------------------------------------------
I know that accept and send mail without ask or check for
authentication is a security hole, so... I test the same on other PC
from my LAN and........... the same result.
So in order to solve this I need to force Exim authentication for
every outgoing message[even via telnet session's], this is the portion
----------------------------------------------------------------------------------------------------------------------------------------------
acl_smtp_rcpt = acl_check_rcpt
accept authenticated = *
control = submission
control = dkim_disable_verify
deny message = Restricted characters in address
domains = +local_domains
deny message = Restricted characters in address
domains = !+local_domains
accept local_parts = postmaster
domains = +local_domains
require verify = sender
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
accept
----------------------------------------------------------------------------------------------------------------------------------------------
thank's in advance,
Problem was solved adding this lines in acl_check_rcpt:

deny message = Autentifiquese correctamente!!
senders = /etc/exim4/filters/cu/todos
accept condition = ${if
crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/var/passwd}{$value}{*:*}}}}}{1}{0}}

where, /etc/exim4/filters/cu/todos is a file with line by line all the
address in my server and /var/passwd is a file with line by line
user(mail users) and password crypted

and work well ;-) ..............perhpas there is another solution more
easy or more trivial but that was what I find(after a lot off hours reading)
--
Michael González Medina
Administrador de Red
Centro Nacional de Sanidad Vegetal
Loading...