The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

relay acl check a must!!!!

Discussion in 'E-mail Discussions' started by bsasninja, Aug 13, 2007.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    By default Exim allows any address to relay through the smtp server even if you are using authentication.

    To prevent relay from addresses that dont belong to the server. A acl rule must be placed at exim.conf.

    I read something about

    require
    domains = +local_domains

    But I dont know where to place it.

    Anybody have this rule??

    Other thing sometimes users send mails to some domains that are down or have mailserver problems. So the message stucks in the server queue and keeps retrying later, but sometimes causes loads to it. Is there a way to prevent this ??

    Help will be appreciated!

    Thanks!
     
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider


    You are probably just in /etc/relayhosts because you pop/imaped before smtp.
     
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    yeah but the pop before smtp is not a solution, cause you can setup a hotmail.com address in your mail client and use a authenticated account from the server to relay the message.

    The only way is to tell exim that the only allowed to relay are localdomains, I know that it can be done but I didnt hit the correct rule yet.

    Thanks
     
  4. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    anybody have this rule ??
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    The problem sounds like one of user education, than server problem. I can think of quite a few reasons why someone would want to do that, starting with if they have more than one email address, especially when using Outlook.

    Many people have more than one address now days. You would also not be able to send email with a reply to that is only a forward if you do that. (I.E. sending an email from an abuse account, etc.)

    So, I would bet most do NOT have that.
     
    #6 lloyd_tennison, Aug 14, 2007
    Last edited: Aug 26, 2007
  7. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Ok, so here is what you need to do:
    Open up the exim config advanced editor.
    Scroll down to the section of the "check recipient" ACL.
    Go to the par of that ACL that looks like this:

    #if it gets here it isn't mailman

    accept hosts = *
    authenticated = *


    Make it look like this:

    #if it gets here it isn't mailman
    require verify = sender

    accept sender_domains = +local_domains
    hosts = *
    authenticated = *

    This requires two things:
    - The sender domain must be listed in local_domains
    - The sender must pass the same type of verification test that is performed on incoming mail.

    Now, this will prevent someone from sending mail from dfjf;dfjasdf@microsoft.com on your server, and it will prevent them from sending from ifdsdfsdf@<yourdomain.com> - assuming you do not have a catch all enabled for <yourdomain.com>, but it won't stop bob@yourdomain.com from sending mail as tim@yourdomain.com where tim and bob are valid email accounts. To my knowledge, there is not a way to enforce that level of protection.

    Hope that helps.

    Jerry
     
    #7 jerrybell, Aug 14, 2007
    Last edited: Aug 15, 2007
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Not have what? That rule in their exim config? Really? :rolleyes:
     
    #8 Infopro, Aug 14, 2007
    Last edited: Aug 14, 2007
  9. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    AWESOME! I will try it!
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Was this on a non-cPanel box?
     
  11. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    I have this over there

    #if it gets here it isn't mailman

    #recipient verifications are required for all messages that are not sent to the local machine
    #this was done at multiple users requests
    require verify = recipient
    message = "The recipient cannot be verified. Please check all recipients of
    this message to verify they are valid."


    accept hosts = *
    authenticated = *


    #if they poped before smtp we just accept

    Should I remove: or I have to add what you said below of it?

    require verify = recipient
    message = "The recipient cannot be verified. Please check all recipients of
    this message to verify they are valid."


    Thanks again
     
  12. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Change this:

    accept hosts = *
    authenticated = *


    Into this:


    require verify = sender

    accept sender_domains = +local_domains
    hosts = *
    authenticated = *


    And give that a shot.
     
  13. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Well I replaced it. But message is relayed anyway and put it in queue.

    I mean I setup a test account in outlook to see if the rule works. use adkflajf@hotmail.com and sent trough an authenticated user of my server and then the mail goes out and is queued on exim spool and doesnt arrive to destination.

    Is there a way to avoid this relay and queueing the message? I mean to refuse it at smtp time to save bandwidth.

    The forged account that is in the queue is giving a 451 Could not complete sender verify callout error.
    If I send with any domain listed at localdomains they are fine.

    Thanks again

    This is my config how it looks:

    #if it gets here it isn't mailman

    #recipient verifications are required for all messages that are not sent to the local machine
    #this was done at multiple users requests
    require verify = recipient
    message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."

    require verify = sender
    accept sender_domains = +local_domains
    hosts = *
    authenticated = *


    #if they poped before smtp we just accept
     
    #13 bsasninja, Aug 15, 2007
    Last edited: Aug 15, 2007
  14. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I think I may know what the problem is. Are you using authenticated smtp, or are you using pop before relay?
     
  15. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Im using smtp requires authentication
     
  16. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    It's strange that it isn't working for you. It works perfectly for me - My email client gets an error when I try to send with a fake address and the email remains in my outbox.

    What does the log show when you sent that email?
     
  17. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Here is what I have at exim mainlog

    2007-08-15 08:29:39 1ILH4E-0007yk-MN <= afadfa@hotmail.com H=(soporte) [xx.xx.xx.xx]:29516 I=[xx.xx.xx.xx]:25 P=esmtpa A=fixed_login:user@domain.com S=1470 id=07d801c7df2f$8f6a8c10$2201a8c0@soporte T="test" from <afadfa@hotmail.com> for outsideuser@outsidedomain.com

    Could you paste what you have at your exim.conf maybe is some parameter missing :(
     
  18. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Got it working ! Fantastic!

    Got it working now! but there is a little problem.

    When you setup an account for example in outlook xafasdf@hotmail.com using smtp authentication of your server, you cant sent messages. This is fine.

    But if you check pop of the account you are using for authentication and then you send the message, it relays without problem.

    Is there a way to prevent this pop before relay for forged address?
     
    #18 bsasninja, Aug 21, 2007
    Last edited: Aug 21, 2007
  19. Andrew Boring

    Andrew Boring Member

    Joined:
    Sep 27, 2006
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1

    You'll need to also turn off pop-before-smtp daemon if you want to prevent legitimate users from sending legitimate email with other legitimate sender addresses.


    .
     
  20. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    So, here is my config:
    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
      
    
               require verify = sender
       
      #if it gets here it isn't mailman
    
      accept  sender_domains = +local_domains
              hosts = *
              authenticated = *
              
    
    
      #if they poped before smtp we just accept
      accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
            add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}
      accept  hosts = +relay_hosts
          add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}
    
       #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of 
       # a clogged outbox in outlook
                    
      #recipient verifications are required for all messages that are not sent to the local machine
      #this was done at multiple users requests
      require verify = recipient
        message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid.  Details: $acl_verify_message"
    
    
    
          
    [% ACL_RBL_BLOCK %]
      
      require verify = sender/callout=60s
    
    
    # The only problem with this setup is that if the message is for multiple users on the same server
    # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
    # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.
    
    
      warn  domains = ! ${primary_hostname} : +local_domains
        condition = ${if <= {$message_size}{[% ACL_MAX_SPAM_SCAN_SIZE %]K}{${if eq {${acl_m0}}{1}{0}{${perl{acl_checksa_deliver}{$domain}{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}}}}}}{0}}
        set acl_m0    = 1
        set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}
    
      warn  domains = ${primary_hostname}
        condition = ${if <= {$message_size}{[% ACL_MAX_SPAM_SCAN_SIZE %]K}{${if eq {${acl_m0}}{1}{0}{${perl{acl_checkusersa}{$local_part}{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}}}}}}{0}}
        set acl_m0    = 1
        set acl_m1    = $local_part
    
    
      accept  domains = +relay_domains
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
    #  Enabling this will make the server non-rfc compliant
    #  require verify = header_sender
     accept  hosts = 127.0.0.1 : +relay_hosts
    
      accept  hosts = *
              authenticated = *
    
      warn
        condition = ${if eq {${acl_m0}}{1}{1}{0}}
        spam =  ${acl_m1}/defer_ok
        log_message = "SpamAssassin as ${acl_m1} detected message as spam"
        add_header = X-Spam-Subject: [% ACL_SPAM_HEADER %] $h_subject
        add_header = X-Spam-Status: Yes, score=$spam_score
        add_header = X-Spam-Score: $spam_score_int
        add_header = X-Spam-Bar: $spam_bar
        add_header = X-Spam-Report: $spam_report
        add_header = X-Spam-Flag: YES
        set acl_m2 = 1
    
      warn
      condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
      add_header = X-Spam-Status: No, score=$spam_score
      add_header = X-Spam-Score: $spam_score_int
      add_header = X-Spam-Bar: $spam_bar
      add_header = X-Spam-Flag: NO
        log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam"
     
    [% ACL_SPAM_BLOCK %]
        
     accept
    
    I am using cpanel 11 release. For me, this seems to do exactly what you want it to. I haven't tested relaying from other hosts.

    Jerry
     
Loading...

Share This Page