Exim experts: blocking non auth smtp

This is something we'll be wanting to do soon and I thought I'd post here for any tips before putting the research into it. If anyone knows how to do this and can offer any tips (or would like it as a paid one off job even) feel free to post.

We'd like to block regular SMTP on Exim (as bundled with cPanel) so that third party servers cannot connect to pass over email to domains we host. Authenticated SMTP via the server when hosted clients are sending email should still be permitted (via smtpauth, not pop-before-smtp).

Why are we doing this? All domains will have their MX set to our incoming email server which handles email filtering jobs then relays the clean email over to the server - this is the only server which will connect to the hosting servers to pass email. Spammers tend to ignore this though and connect direct to the domain A record so this needs to be stopped. The mx server is not used for outgoing email and our clients will still need to use the regular hosting/exim install to send their email.

Blocking port 25 at firewall level and asking clients to use smtp on another port is not an option. Something we have considered is bringing back pop-before-smtp and somehow tying this in with iptables to only allow port 25 traffic to ip's authenticated via pop. Ideally we'll be able to do it at MTA level but this hasn't been researched yet, hence this post.

Any thoughts?

 

Hehe, I thought I may have been pushing my luck with this one

 

Thanks for your reply, very much appreciated.

Unfortunately changing the port users connect to in order to send mail is not an option we'd like to go for at this stage because this will cause an untold amount of hastle for users.

Ideally, there will be a way to set Exim to cut all connections where an authentication has not happened via smtp auth.

IE:

server.hosting.com hosts the domain mydomain.com:

Scenario 1:

Third party server (eg hotmail's server) connects to server.hosting.com on port 25 to try and deliver an email to someone@mydomain.com = connection refused because they should be connecting to the mx server in the dns zone

Scenario 2:

The client who owns mydomain.com with the email address me@mydomain.com connects to server.hosting.com to send an email FROM me@mydomain.com and they have smtp auth enabled in their email client = exim will accept this as normal and send the email.


The basic situation is that all domains will have mx.otherdomain.com set as the primary mx but spammers often ignore this and connect to the domain's A record to send email - we need to reject these connections without blocking users trying to send via smtp auth.

 

Thanks for your reply. To confirm, using the above technique, clients who wish to send email (eg via outlook) will need to change the port in their software to 26/587/whatever?

 

Unfortunately that's not an option for us, it ideally needs to be in the exim.conf. I think we have it sorted using some exim.conf work (to reject the connection unless authentication has happened) and I'll post back after testing in case anyone else is looking for this solution.

 

Thanks for your reply Pairote. That should probably work and it's in a similar direction to where I've been going while researching this.

After spending some time working on some unrelated Exim ACL's and getting to grip with the various options, it should be possible to do what we wish to do using a check very early on in the config for connections without authentication ("!authenticated = *" ?) and also including a condition that ignores our MX server IP's and if it matches, deny the connection with a "This is not an MX server" error.

I'll post back the results when tested and live.

 

We've been rolling out our new email system and have reached the time where testing has begun on how to block spammers connecting directly to the domain A record (ignoring MX records in the dns zone) so I thought I'd post back.

It's early days yet so it's possible this solution may not be 100% suitable but the following looks like it could work:

AFTER:

Code:

check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

ADD THIS:

Code:

# no primary mx on this server
deny message = This is not an mx server
log_message = $sender_host_address using us as mx server
!authenticated = *
!hosts = /etc/exim_mx_servers

Then create the file at /etc/exim_mx_servers which is a list of IP's that are allowed to connect directly to deliver email, typically the authorised MX servers which handle the email then pass it onto the inbox.

This basically rejects all connections unless the connection is authenticated (user connecting to send email via smtp) or the system connecting is listed in /etc/exim_mx_servers (your mx boxes). We've got it running on a few boxes in 'warn' status and it's looking good. If anyone can see anything wrong feel free to reply.