Deny "external" domains on SMTP

[Astral God]

Hi.

If i try to use my server (smtp.mydomain.com) with good credentials (login: userATmydomain.com + Password) but with external email (lets say neuserATgmail.com) i can send emails.

Q: Is there a way to accept SMTP connection only if the domain matches the login (smtp.mydomain.com accepts only *ATmydomain.com)

Thanks.

 

[cPanelMichael]

Hello

Could you elaborate a bit more on the specific scenario you are referring to? Do you mean you want to disable SMTP for all non-local connections? The following option under "ACL Options" in "WHM Home » Service Configuration » Exim Configuration Manager" may be of interest to you instead:

"Require RFC-compliant HELO"

This will require incoming SMTP connections to send HELO conforming to internet standards (RFC2821 4.1.1.1).

Thank you.

 

[Astral God]

Let's say you've an account at my server using "yourdomain.com"; and you use Thunderbird as email client.
On your Thunderbird, you've some email accounts (@cpanel.net, @gmail.com, @youdomain.com)
You use the same SMTP - my server - as your SMTP server.

What i wish is that when you try to send emails with @gmail.com or @gmail.com you're denied, but when you sendas @mydomain.com, you're allowed.

 

[simonas]

You can do it by setting a filter in Cpanel.

System wide you could do this using Exim advanced settings.

 

[cPanelMichael]

i wish is that when you try to send emails with @gmail.com or @gmail.com you're denied, but when you sendas @mydomain.com, you're allowed.

That should already be configured by default. For instance, I could not configure the SMTP server in my email client with your server's hostname and use it to send email from a Gmail account. It would be denied due to the SMTP authentication requirement.

Thank you.

 

[quietFinn]

For instance, I could not configure the SMTP server in my email client with your server's hostname and use it to send email from a Gmail account. It would be denied due to the SMTP authentication requirement.

If you have an email account in his server you can authenticate using that account's credentials in his SMTP server, and after that you are able to send so that the sender address is whatever you want.

 

[cPanelMichael]

If you have an email account in his server you can authenticate using that account's credentials in his SMTP server, and after that you are able to send so that the sender address is whatever you want.

If the original poster is referring to this type of scenario, the following option may be useful to them in "WHM Home » Service Configuration » Exim Configuration Manager" under the "Mail" tab:

"EXPERIMENTAL: Rewrite From: header to match actual sender"

"If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected."

Thank you.

 

[brianoz]

That should already be configured by default. For instance, I could not configure the SMTP server in my email client with your server's hostname and use it to send email from a Gmail account. It would be denied due to the SMTP authentication requirement.

One would expect that to be configured but it quite definitely isn't and has over the last few months become a major point of spammer attack. They are stealing SMTP passwords from infected/trojanned user PCs and using them to send spam "from" external users (eg [email protected]). Outgoing limits help a lot, but the spam still gets out, so our servers are getting blacklisted.

Obviously this is a major problem - I was contacted about this by one of the major email providers recently (ask me which one offline if you need more info, can provide internal contact point) - and it is being used to attack them in a huge way. For instance, the current round of attacks over easter was sending out emails as [email protected]. (there were a lot of attacks from the posts here)

We need this fixed in the default cpanel config so that we are protected - possibly a check option to turn on would be great. The rule needs to be something like "only allow authenticated SMTP users to send from the current authenticated domain" (or perhaps, current authenticated email user).

While the "Experimental From" rule does tie the user to a correct email address nicely, I'd prefer to be able to drop or bounce this email as spam immediately. If the spam isn't sent in the first place, there's a lot less work for everyone and no risk of getting blacklisted.

If you have an exim ACL you could point us to that would be a great help as we're getting attacked right now. I understand that the above "Experimental From" helps, but it isn't a real solution as the spam still gets sent.

 

[cPanelMichael]

You may find this post helpful:

Prevent Email Abuse Through Domain Matching

Thank you.

 

[brianoz]

Thanks Michael, that's a helpful link.

Here's some more analysis of this so you can see how important it is - there is widespread hacking of cpanel servers across the internet at the moment:

Web Hosting Talk - View Single Post - FEATURED Massive uptick in SMTP Auth spam

The insidious part of this is that spammers send only a small number of messages through any particular account. This can takes months to catch! Unless it gets one of your IPs blacklisted, with no symptoms.

 

[brianoz]

Feature request:
Exim: Restrict Authenticated Outgoing Email with Sender Domain | cPanel Feature Requests