/etc/trustedmailhosts too trusting.

[Serra]

I'm working with an issue that I had over the past day or so. I have a bunch of clients who run Exchange Servers. We setup their Exchange servers to pass mail back through the server so that it is virus scanned and logged. The only way I can find to do that is to put the Exchange server on /etc/trustedmailhosts.

This allows the server to send mail without issue. However, a client had an issue where a spammer accessed their Exchange server and started sending spam. Because the server is on /etc/trustedmailhosts, no ratelimiting or domain checks are done. It more or less seems like this creates an open relay for that IP address. I've been running this configuration for a while, but now that I see the potential for abuse, I'm trying to find a work around.

Is anyone else doing this? How do they set it up?

 

[Ferdinant]

Hi Serra,

You're absolutely right, there's a bug in the exim configuration (or a documentation bug in WHM itselves.) Exim accepts mail for mail from any host of the trustedhosts list BEFORE it checks the recipient.

I already reported this bug to cPanel, Greg is looking at this right now.

You can create a workaround by moving/copying the "require verify = recipient"
before the ACL_TRUSTEDLIST_BLOCK in the Advanced Exim Configuration.

Please let me know if this solves your problem.

 

[Serra]

Please let me know if this solves your problem.

I will give that a try and let you know how it works. Thank you.

 

[Serra]

I'm struggling with this because I don't think sender verification is what I'm looking for here. From looking at what verify sender does, the mail from this server would pass that test. The mail is coming from a valid domain, but is being sent by a different domain.

What really needs to happen is that mail from trusted addresses still needs to be rate limited. In my log, I'm seeing rate info on the emails:

2010-03-25 02:07:20 H=adsl-xxxxxxxxx.net (xxxxxxxxxxxxxxxx.com) [x.x.x.x] Warning: Sender rate 44.8 / 1h

What I would like to see happen is that this mail be blocked, if it exceeds a rate limit.

In the long run, trusted mail sources need to be secure, my customer is working on that, but in the meantime, I'd like to rate limit these connections as a little extra security.

 

[Ferdinant]

Hi Serra,

In that case it's not advisable to user trustedhosts for this purpose. Trusted hosts are ment to be like spamfilter clusters which you put in front of the mailserver. Like the Exim Configuration page says about trustedmailhosts:

bypass all SMTP time checks except recipient verification

So you might take a look at the "Bypass SMTP time sender verifcation checks" which is far more restrictive then the trustedmailhosts.

The solution I offered you was a check against the recipient address when the mail came from one of the servers mentioned in the trustedmailhosts.

 

[Serra]

bypass all SMTP time checks except recipient verification

So you might take a look at the "Bypass SMTP time sender verifcation checks" which is far more restrictive then the trustedmailhosts.

The problem is that the only way I can get the Exchange servers that send mail through my system to work is in trustedmailhosts. I've tried bypass, but the server can't send mail if they are in bypass. In the test, we had three Exchange servers we were working with that all were listed in localdomains. (The problem server isn't listed in localdomains.. fyi). The only setting that let them send mail was in trustedmailhosts.

Maybe the methodology is wrong, is there something I need to do to get bypass to work? I would prefer that option, if it worked.

 

[Ferdinant]

Hi Sierra,

If I were you, I would put some spam/virusfilters (cluster) before the Exchange servers. Let them do the spam/virusfiltering and after that relay the mail to the exchange servers.
Then, on the exchange servers, I'd recommend you firewall all traffic to the SMTP ports except the traffic originating from the spam/virusfilter machines.

If you need a certain service, we (xxlwebhosting.nl) do offer such a spam/virusfiltering service. Send me a PM if you'd like to know more about it.

 

[Serra]

Hi Sierra,

If I were you, I would put some spam/virusfilters (cluster) before the Exchange servers. Let them do the spam/virusfiltering and after that relay the mail to the exchange servers.
Then, on the exchange servers, I'd recommend you firewall all traffic to the SMTP ports except the traffic originating from the spam/virusfilter machines.

Actually, that is the solution that we implement already. By blocking the SMTP ports to the Exchange server through their firewall, we were able to eliminate any issues, but because the Exchange servers are not ours, we have to trust that the IT people on the other end of the connection are competent. That isn't really being proactive. I'd like to have a redundant verification on my end in the cPanel severs that connect to the various Exchange servers.

Thanks for the input! Wish I had thought of that a few days ago!