possible open relaying?

dev.null

Well-Known Member
May 27, 2003
89
2
158
I'm an exim novice and know just enough to be dangerous. I may have shot myself in the foot w/ my exim.conf by recently adding whitelist capability and would appreciate any help in diagnosing this relay problem. I don't want to be an open relay but can't seem to figure out where the relay is being permitted.

exim -bpc yields lines like this:

0m 2.0K 1IPhmV-000291-01 <>
[email protected]
llpwdigitalportfolio.com isn't hosted on my box, so this isn't email sent to a local address. The from address of <> is immediately suspicious because it should be filled in, and I'd expect it to be an account on my box.

I decide to take a look in the exim log to see where this email would have come from:

grep 1IPhmV-000291-01 exim_mainlog
2007-08-27 11:49:39 1IPhmV-000291-01 <= <> R=1IPhmU-00020M-IE U=mailnull P=local S=2043
2007-08-27 11:49:39 1IPhmV-000291-01 == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
It appears this email is actually the result of another email: 1IPhmU-00020M-IE, so I look in the log to see where it came from:

[email protected] [/var/log]# grep 1IPhmU-00020M-IE exim_mainlog
2007-08-27 11:49:38 1IPhmU-00020M-IE <= [email protected] H=201-35-180-84.cslce700.dsl.brasiltelecom.net.br [201.35.180.84] P=smtp S=1149 [email protected]siltelecom.net.br
2007-08-27 11:49:38 1IPhmU-00020M-IE ** [email protected] R=virtual_aliases:
2007-08-27 11:49:39 1IPhmV-000291-01 <= <> R=1IPhmU-00020M-IE U=mailnull P=local S=2043
2007-08-27 11:49:39 1IPhmU-00020M-IE Completed
So it looks like I receive an email (1IPhmU-00020M-IE) that is bound for a valid address on this box ([email protected]), and somehow this email is then split into another email going to [email protected]

My question is how is it that exim is being tricked into relaying like this?

related files to follow in next posts (10,000 char limit to post).