Exim experts: blocking non auth smtp

[clook]

This is something we'll be wanting to do soon and I thought I'd post here for any tips before putting the research into it. If anyone knows how to do this and can offer any tips (or would like it as a paid one off job even) feel free to post.

We'd like to block regular SMTP on Exim (as bundled with cPanel) so that third party servers cannot connect to pass over email to domains we host. Authenticated SMTP via the server when hosted clients are sending email should still be permitted (via smtpauth, not pop-before-smtp).

Why are we doing this? All domains will have their MX set to our incoming email server which handles email filtering jobs then relays the clean email over to the server - this is the only server which will connect to the hosting servers to pass email. Spammers tend to ignore this though and connect direct to the domain A record so this needs to be stopped. The mx server is not used for outgoing email and our clients will still need to use the regular hosting/exim install to send their email.

Blocking port 25 at firewall level and asking clients to use smtp on another port is not an option. Something we have considered is bringing back pop-before-smtp and somehow tying this in with iptables to only allow port 25 traffic to ip's authenticated via pop. Ideally we'll be able to do it at MTA level but this hasn't been researched yet, hence this post.

Any thoughts?

[clook]

Hehe, I thought I may have been pushing my luck with this one

[sparek-3]

I'm not entirely sure if I'm understanding this, I'm not really an exim expert, but I'll give it a shot.

I know you said that using a port other than port 25 is not an option, but you may want to have a read of RFC 2476 (I think this is the right one, its the one I based this off of). From what you describe, you are appear to be describing a classic case of Message Submission, which is really the way e-mail should be handled (again, if I'm reading the RFCs correctly). So I'll go ahead posting my suggestion, but I do realize that you said using another port was not an option.

You have two servers, I'll identify them as authserver - the server that your clients will be sending mail through and mxserver - the server where incoming mail for your domains initially comes into.

On the authserver, use iptables or a firewall to block incoming traffic on port 25 coming into that server. Only open port 25 for incoming connections from mxserver.

In the WHM, set up Exim to run on another port, probably 587 which is suppose to be the MSA port, which is basically what I think you are after. Basically this says that all users are suppose to connect to a Message Submission Agent on port 587 to send out mail, then that message is relayed through the Internet using SMTP on port 25.

Make sure port 587 is open for incoming connection on the authserver in your iptables or firewall.

Then in your WHM disable anti-relayd from the Service Manager. This will basically force users to use SMTP authentication in their e-mail client in order to send out mail through authserver on port 587.

Users will need to configure their e-mail client to use port 587 to send out mail. They will also need to configure their e-mail client to use SMTP authentication. Their outgoing mail server setting should be whatever hostname authserver is referring to.

This way only clients who have mail accounts on authserver will be able to relay out mail from the server. The only server being able to make incoming connection to authserver will be mxserver, which it can do on the regular port 25.

Not sure if this will accomplish what you are after or not, but might give you some pointers.

Hope this helps.

[clook]

Thanks for your reply, very much appreciated.

Unfortunately changing the port users connect to in order to send mail is not an option we'd like to go for at this stage because this will cause an untold amount of hastle for users.

Ideally, there will be a way to set Exim to cut all connections where an authentication has not happened via smtp auth.

IE:

server.hosting.com hosts the domain mydomain.com:

Scenario 1:

Third party server (eg hotmail's server) connects to server.hosting.com on port 25 to try and deliver an email to someone@mydomain.com = connection refused because they should be connecting to the mx server in the dns zone

Scenario 2:

The client who owns mydomain.com with the email address me@mydomain.com connects to server.hosting.com to send an email FROM me@mydomain.com and they have smtp auth enabled in their email client = exim will accept this as normal and send the email.


The basic situation is that all domains will have mx.otherdomain.com set as the primary mx but spammers often ignore this and connect to the domain's A record to send email - we need to reject these connections without blocking users trying to send via smtp auth.

[chirpy]

That should work. That is (just summarising sparek-3's post in steps):

1. block inbound TCP to port 25
2. whitelist mail server for inbound port 25
3. open outbound port 25
4. open inbound alternative port, e.g. 26 or 587 it doesn't matter at all (I believe that MSA suggestion isn't actually used much as it's for messages, not necessarily emails, which aren't the same thing - the RFC for that is a bit odd)
6. disable WHM > Service Manager > antirelayd

[clook]

That should work. That is (just summarising sparek-3's post in steps):

1. block inbound TCP to port 25
2. whitelist mail server for inbound port 25
3. open outbound port 25
4. open inbound alternative port, e.g. 26 or 587 it doesn't matter at all (I believe that MSA suggestion isn't actually used much as it's for messages, not necessarily emails, which aren't the same thing - the RFC for that is a bit odd)
6. disable WHM > Service Manager > antirelayd

Thanks for your reply. To confirm, using the above technique, clients who wish to send email (eg via outlook) will need to change the port in their software to 26/587/whatever?

[sparek-3]

That is correct. I think port 587 is the correct port according to RFC standards (but I could be wrong), but it also doesn't really matter, it just can't be port 25.

[clook]

That is correct. I think port 587 is the correct port according to RFC standards (but I could be wrong), but it also doesn't really matter, it just can't be port 25.

Unfortunately that's not an option for us, it ideally needs to be in the exim.conf. I think we have it sorted using some exim.conf work (to reject the connection unless authentication has happened) and I'll post back after testing in case anyone else is looking for this solution.

[rvskin]

I am not 100% understand your situation. It seems you get the spam emails on the authserver which is supposed to get only clean emails from mxserver and SMTP call from the users host on the authserver.

How about this line, deny all emails which sender_domain is not listed on local domain list.

deny !sender_domains = +local_domains

Add it in RCPT state below the 'accept hosts = :'.

I don't test it. It is on your risk.

[clook]

Thanks for your reply Pairote. That should probably work and it's in a similar direction to where I've been going while researching this.

After spending some time working on some unrelated Exim ACL's and getting to grip with the various options, it should be possible to do what we wish to do using a check very early on in the config for connections without authentication ("!authenticated = *" ?) and also including a condition that ignores our MX server IP's and if it matches, deny the connection with a "This is not an MX server" error.

I'll post back the results when tested and live.

[clook]

We've been rolling out our new email system and have reached the time where testing has begun on how to block spammers connecting directly to the domain A record (ignoring MX records in the dns zone) so I thought I'd post back.

It's early days yet so it's possible this solution may not be 100% suitable but the following looks like it could work:

AFTER:

Code:

check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

ADD THIS:

Code:

# no primary mx on this server
deny message = This is not an mx server
log_message = $sender_host_address using us as mx server
!authenticated = *
!hosts = /etc/exim_mx_servers

Then create the file at /etc/exim_mx_servers which is a list of IP's that are allowed to connect directly to deliver email, typically the authorised MX servers which handle the email then pass it onto the inbox.

This basically rejects all connections unless the connection is authenticated (user connecting to send email via smtp) or the system connecting is listed in /etc/exim_mx_servers (your mx boxes). We've got it running on a few boxes in 'warn' status and it's looking good. If anyone can see anything wrong feel free to reply.