I've got a pretty bad problem that comes up every now and then -- as it appears, at least by default, anything from 127.0.0.1 can relay email without authenticating or in otherwords an open relay. And in some cases (mainly Perl), the mail (e.g. spam) is untraceable because the 'Track Origin' option in tweak settings seems to only work with some PHP scripts. Here's an example header of a message that was sent using badware uploaded via a client's compromised FTP logon:
Received: from localhost ([127.0.0.1] helo=User)
by xxxxxx.xxxxxxx.com with smtp (Exim 4.69)
id 1QdT9L-0006zC-Mz; Sun, 03 Jul 2011 16:20:16 -0400
And the Exim headers are useless, as it indicates the Exim UID/GID and no source script:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - xxxxxx.xxxxxxx.com
X-AntiAbuse: Original Domain - bobhatton.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - i-csr.it
I will mention, that ALL domains shown in the above headers are spoofed... none of them exist on this server whatsoever.
We can block localhost connections (CSF or in WHM) but then sending mail in webmail fails.
So my question, is there a way to require authentication from 127.0.0.1 connections? To further that, can it be done without breaking webmail's ability to send mail?