The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can you help with an ACL question ?

Discussion in 'E-mail Discussions' started by 4u123, Jan 24, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Firstly, I need to say that I have no idea how to write ACL's for Exim and I find them very confusing.

    Anyway, here is what I want to acheive....

    I need authenticated users to send mail through the server from any location but I want all other incoming connections to be dropped if they are not from a specific list of IP's

    I posted on the exim users list and someone gave me this ACL...

    He also said that this would do the same thing...


    But I am concerned that these will not acheive what I want. Unfortunately, the guy that gave me the info was Russian and we had a communication problem.

    To me those conditions say...

    If the user is not authenticated and he doesnt come from the following list of Ip's - drop the connection.

    Thats not what I need. Authenticated users should be able to connect from anywhere. Its all other smtp traffic I want to drop, unless it comes in from the list of IP's specified. Of course those incoming connections will not be required to authenticate as they are sending mail into the server not relaying through it. So if the above condition prevents ALL connections unless they are authenticated - it wont acheive what I need.

    Could someone possibly confirm whether or not the condition above will do what I need and if its ok - where in the exim config I should put it?
     
    #1 4u123, Jan 24, 2008
    Last edited: Jan 24, 2008
  2. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I tried using it but it had no effect at all.

    Could anyone please tell me where in the exim config I should place this ?
     
  3. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    A better idea is adding your authorized IP which no need to do SMTP authentication in /etc/alwaysrelay. After add the IP in the file, restart exim. That's all you need to do.
     
  4. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi Pairote.

    That wont acheive what I want for two reasons..

    1. It will allow those IP's to relay through the server. If the RCPT TO: is for a domain that isnt hosted on the server, I need to return 550 - not 250

    2. Using /etc/alwaysrelay will not drop all other connections. It does not prevent other hosts from sending mail into the server.
     
  5. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Essentially this is what I want to acheive...
    drop / reject ALL inbound SMTP traffic into the server except from authenticated mail users and the IP's I specify.

    Reason ?

    Because all mail into this server is sent via an anti spam appliance. All domains'MX records are set external. There is no reason for any mail server to send mail directly to the cpanel server. Only the appliance should be allowed to send mail in. The reason to drop those connections is because some spammers use cache'd info - or send the mail directly to the server IP and the server is still receiving spam from them directly. The use of an anti spam appliance relies on the senders using the MX record for the domain.

    There are two ways to acheive this....

    1. Set the smtp port for sending mail to something different - then use iptables to deny access to port 25 for all hosts except the ones i want...

    local_interfaces = 127.0.0.1
    daemon_smtp_ports = 2525

    But - I dont want to do that becasue I dont want to force my customers to change the port in their email software.

    2. Use an ACL.

    An ACL is the perfect answer. The problem is that I am not clever enough to work this out by mysefl and I cant seem to find anyone who knows how to make it work. The cpanel exim configuration is confusing things for me because it has its own ACL's which could conflict.

    If I add the below ACL into the exim config in WHM, it tells me the syntax is incorrect.

    drop !condition = ${if def:authenticated_id{yes}{no}}
    !hostlist = myip1 : myip2 : myip3
     
    #5 4u123, Jan 25, 2008
    Last edited: Jan 25, 2008
  6. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    From what I understand, the ACL above is only a small part of one and would need adding to a larger ACL. Is this right ?

    Are there any Exim experts here ? I've tried the exim users forum but the level of technical expertise there is so high that they assume I know how to write these myself when I havent the first clue. Really I need ot pay someone to do it for me - which I am very happy to do.

    Here is what I'm up agaisnt...


    All I can think in response is "Eh?"
     
  7. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    SMTP authentication is a part of default cPanel-EXIM configuration. You do not need to modify anything. Together with /etc/alwaysrelay, you should achieve what you want. Have try what I already suggested?
     
  8. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I dont want the specified ip's to relay mail through the server. Please read my comments!

    If the ip is allowed to relay, the server will relay messages to anywhere for that IP. It is very important that the listed ip's receive a 550 if the domain is not hosted on the server.

    I'm not sure you have understood the requirements I have explained above.
     
  9. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    I reread your last post. Now I understand what you want. How about this ACL. Place it below check_recipient:.

    deny domains = +local_domains
    !hosts = IP1 : IP2
    !authenticated = *

    It means deny email sending to your local domains which doesn't come from IP1 and IP2 and is not authenticated.
     
  10. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Pairote you are a genius!!

    That is perfect. I tested it and it works great!

    Thank you - I've been trying to work this out for days!
     
Loading...

Share This Page