The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/etc/trustedmailhosts too trusting.

Discussion in 'E-mail Discussions' started by Serra, Mar 19, 2010.

  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I'm working with an issue that I had over the past day or so. I have a bunch of clients who run Exchange Servers. We setup their Exchange servers to pass mail back through the server so that it is virus scanned and logged. The only way I can find to do that is to put the Exchange server on /etc/trustedmailhosts.

    This allows the server to send mail without issue. However, a client had an issue where a spammer accessed their Exchange server and started sending spam. Because the server is on /etc/trustedmailhosts, no ratelimiting or domain checks are done. It more or less seems like this creates an open relay for that IP address. I've been running this configuration for a while, but now that I see the potential for abuse, I'm trying to find a work around.

    Is anyone else doing this? How do they set it up?
     
  2. Ferdinant

    Ferdinant Active Member
    PartnerNOC

    Joined:
    Mar 1, 2005
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Hi Serra,

    You're absolutely right, there's a bug in the exim configuration (or a documentation bug in WHM itselves.) Exim accepts mail for mail from any host of the trustedhosts list BEFORE it checks the recipient.

    I already reported this bug to cPanel, Greg is looking at this right now.

    You can create a workaround by moving/copying the "require verify = recipient"
    before the ACL_TRUSTEDLIST_BLOCK in the Advanced Exim Configuration.

    Please let me know if this solves your problem.
     
    #2 Ferdinant, Mar 23, 2010
    Last edited: Mar 23, 2010
  3. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I will give that a try and let you know how it works. Thank you.
     
  4. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I'm struggling with this because I don't think sender verification is what I'm looking for here. From looking at what verify sender does, the mail from this server would pass that test. The mail is coming from a valid domain, but is being sent by a different domain.

    What really needs to happen is that mail from trusted addresses still needs to be rate limited. In my log, I'm seeing rate info on the emails:

    2010-03-25 02:07:20 H=adsl-xxxxxxxxx.net (xxxxxxxxxxxxxxxx.com) [x.x.x.x] Warning: Sender rate 44.8 / 1h


    What I would like to see happen is that this mail be blocked, if it exceeds a rate limit.

    In the long run, trusted mail sources need to be secure, my customer is working on that, but in the meantime, I'd like to rate limit these connections as a little extra security.
     
  5. Ferdinant

    Ferdinant Active Member
    PartnerNOC

    Joined:
    Mar 1, 2005
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Hi Serra,

    In that case it's not advisable to user trustedhosts for this purpose. Trusted hosts are ment to be like spamfilter clusters which you put in front of the mailserver. Like the Exim Configuration page says about trustedmailhosts:

    Code:
    bypass all SMTP time checks except recipient verification
    So you might take a look at the "Bypass SMTP time sender verifcation checks" which is far more restrictive then the trustedmailhosts.

    The solution I offered you was a check against the recipient address when the mail came from one of the servers mentioned in the trustedmailhosts.
     
  6. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    The problem is that the only way I can get the Exchange servers that send mail through my system to work is in trustedmailhosts. I've tried bypass, but the server can't send mail if they are in bypass. In the test, we had three Exchange servers we were working with that all were listed in localdomains. (The problem server isn't listed in localdomains.. fyi). The only setting that let them send mail was in trustedmailhosts.

    Maybe the methodology is wrong, is there something I need to do to get bypass to work? I would prefer that option, if it worked.
     
  7. Ferdinant

    Ferdinant Active Member
    PartnerNOC

    Joined:
    Mar 1, 2005
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Hi Sierra,

    If I were you, I would put some spam/virusfilters (cluster) before the Exchange servers. Let them do the spam/virusfiltering and after that relay the mail to the exchange servers.
    Then, on the exchange servers, I'd recommend you firewall all traffic to the SMTP ports except the traffic originating from the spam/virusfilter machines.

    If you need a certain service, we (xxlwebhosting.nl) do offer such a spam/virusfiltering service. Send me a PM if you'd like to know more about it.
     
  8. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Actually, that is the solution that we implement already. By blocking the SMTP ports to the Exchange server through their firewall, we were able to eliminate any issues, but because the Exchange servers are not ours, we have to trust that the IT people on the other end of the connection are competent. That isn't really being proactive. I'd like to have a redundant verification on my end in the cPanel severs that connect to the various Exchange servers.

    Thanks for the input! Wish I had thought of that a few days ago!
     
Loading...

Share This Page