List people.
It seems that my exim/MailScanner/Baruwa mail server is an open relay!
I have looked at the exim documentation Baruwa documentation and just can't
figure out what I have to do.
My system was installed using Jeremy's script and the configuration file for
exim has been heavily modified by the baruwa script.
How do I close the open relay?
Kind Regards
Ritchie
Stuff I've looked at...
I can't see how to do this from the Baruwa settings web gui.
I also am getting really really confused by the myriad of settings in the
/etc/exim/exim.conf file :-(
- RELAY_SQL_DOMAINS - My domains? that exim should deliver to?
- RELAY_SQL_HOSTS - suggests that there is a table in the baruwa database that
holds
a list of hosts who should be allowed to send mail through exim?
- relay_from_hosts = localhost : 192.168.0.101/24 <--- I added our exchange
server
I have had a poke around in the baruwa postgres database looking for relavant
entries in tables. Stumped !
- - - - - - 8< - - - - - - - - - - - exim.conf - - - - - - - - - -
.include /etc/exim/macros.conf
hide pgsql_servers = PGSQL_SERVERS
#primary_hostname =
domainlist local_domains = @ : localhost : localhost.localdomain
#domainlist relay_sql_domains = RELAY_SQL_DOMAINS
domainlist relay_sql_domains =
domainlist relay_sql_smtp_domains = SMTP_SQL_DOMAINS
domainlist relay_sql_lmtp_domains = LMTP_SQL_DOMAINS
domainlist ldap_domains = LDAP_DOMAINS
domainlist smtp_callback_domains = SMTP_CALLBACK_DOMAINS
domainlist whitelisted_domains = WHITELISTED_DOMAINS
domainlist blacklisted_domains = BLACKLISTED_DOMAINS
addresslist whitelisted_addresses = WHITELISTED_ADDRESS
addresslist blacklisted_addresses = BLACKLISTED_ADDRESS
hostlist whitelisted_hosts = WHITELISTED_HOSTS
hostlist blacklisted_hosts = BLACKLISTED_HOSTS
hostlist relay_sql_hosts = RELAY_SQL_HOSTS
hostlist relay_from_hosts = localhost:192.168.0.101/24 <--- I added our
exchange server
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
acl_smtp_connect = acl_check_connect
acl_smtp_helo = acl_check_helo
acl_smtp_dkim = acl_check_dkim
#queue_only = true
#queue_only_override = false
smtp_banner = Baruwa 2.0 $tod_full
smtp_active_hostname = ${if
!eq{$sender_host_address}{$received_ip_address}{${lookup
dnsdb{ptr=$received_ip_address}}}{$primary_hostname}}
smtp_accept_max_per_connection = 60
smtp_accept_max = 0
smtp_load_reserve = 15
smtp_receive_timeout = 3m
smtp_accept_max_nonmail = 10
smtp_max_unknown_commands = 1
message_size_limit = 20M
spool_directory = /var/spool/exim.in
pipelining_advertise_hosts = 127.0.0.1
process_log_path = /var/spool/exim/exim-process.info
#log_file_path=:syslog
#syslog_duplication=false
#syslog_timestamp=false
#log_selector = -rejected_header received_header_text = Received: ${if
def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from
${quote_local_part:$sender_ident} }}${if def:sender_helo_name
{(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if
def:received_protocol {with $received_protocol}} ${if def:tls_cipher
{($tls_cipher)\n\t}}(Baruwa 2.0)\n\t${if def:sender_address {(envelope-from
<$sender_address>)\n\t}}id $message_exim_id${if !eq {$received_protocol}{split}
{ ret-id none;}{}}${if def:received_for {\n\tfor $received_for}}
av_scanner = clamd:/var/run/clamav/clamd.sock
tls_advertise_hosts = *
tls_certificate = /etc/pki/baruwa/baruwa.pem
tls_privatekey = /etc/pki/baruwa/baruwa.key
tls_on_connect_ports = 465
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL :
!3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH
daemon_smtp_ports = 25 : 465 : 587
never_users = root
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 1d
timeout_frozen_after = 3d
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
perl_startup = do '/etc/exim/baruwa/exim-bcrypt.pl'
perl_at_start = true
begin acl
acl_check_rcpt:
accept
senders = lsearch;/etc/exim/email_senders
discard
!local_parts = lsearch;/etc/exim/email_users
accept hosts = :
control = submission
drop message = REJECTED - Sender $sender_address is banned
hosts = +blacklisted_hosts
drop message = REJECTED - Domain $sender_address_domain is banned
domains = +blacklisted_domains
drop message = Dictionary attack detected
condition = ${if >{$rcpt_fail_count}{3} {yes}{no}}
delay = 10m
drop message = Legitimate bounces are never sent to more than one
recipient.
senders = : postmaster@*
condition = ${if >{$recipients_count}{1}{true}{false}}
drop message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
drop message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains : +relay_sql_domains
accept hosts = +relay_from_hosts : +relay_sql_hosts
control = submission/sender_retain
accept authenticated = *
control = submission/sender_retain
require message = relay not permitted
domains = +local_domains : +relay_sql_domains
accept message = Authorized sender: $sender_address
senders = +whitelisted_addresses
accept message = Authorized sender: $sender_address_domain
domains = +whitelisted_domains
drop message = REJECTED - because $sender_host_address is in a black
list spamhaus.org
dnslists = zen.spamhaus.org
ratelimit = 0 / 2h / strict / per_conn
drop message = REJECTED - because $sender_host_address is in a black
list at $dnslist_domain\n$dnslist_text
dnslists = bl.spamcop.net : cbl.abuseat.org
ratelimit = 0 / 2h / strict / per_conn
drop message = REJECTED - $dnslist_text
dnslists = rbl.baruwa.net : rbl.baruwa.net/$sender_address_domain
drop message = REJECTED - We do not accept messages from hosts
without reverse DNS
log_message = No reverse DNS
!verify = reverse_host_lookup
!verify = sender/no_details/callout=2m,defer_ok
!condition = ${if eq{$sender_verify_failure}{}}
drop message = REJECTED - Recipient Verification Failed - User Not
Found
domains = +smtp_callback_domains
#!verify =
recipient/success_on_redirect/callout=2m,defer_ok,use_sender
!verify = recipient/success_on_redirect/callout=2m,defer_ok
drop message = REJECTED - User Not Found
domains = +ldap_domains
condition = ${lookup ldap{${expand:LDAP_LOOKUP}}{0}{1}}
# deny message = SPF_MSG
# spf = soft
# deny message = $sender_host_address doesn't look trustworthy to me
# spf_guess = soft
accept
acl_check_data:
#drop malware = *
# message = This message contains a virus ($malware_name).
accept
acl_check_mime:
drop message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
accept
acl_check_connect:
accept hosts = :
drop message = REJECTED - because $sender_host_address is a banned
sender
hosts = +blacklisted_hosts
accept message = Authorized sender: $sender_host_address
hosts = +whitelisted_hosts
defer ratelimit = 250 / 15m / strict
message = You can only send $sender_rate_limit msgs per
$sender_rate_period
log_message = RATE: $sender_rate/$sender_rate_period (max
$sender_rate_limit)
accept
acl_check_helo:
drop message = REJECTED - no HELO/EHLO greeting
log_message = remote host did not present greeting
condition = ${if def:sender_helo_name {false}{true}}
drop message = REJECTED - HELO is an IP address (See RFC2821 4.1.3)
condition = ${if isip{$sender_helo_name}}
accept
acl_check_dkim:
accept authenticated = *
accept hosts = :
accept hosts = +whitelisted_hosts
# deny message = REJECTED - DKIM failure: $dkim_verify_reason
# dkim_status = none:invalid:fail
# dkim_status = none:invalid
# condition = ${if eq {$dkim_key_testing}{1} {no}{yes}}
warn add_header = X-DKIM: Status on $received_ip_address using Baruwa
2.0: dkim=$dkim_verify_status; \
signing_identity="$dkim_cur_signer"
accept
begin routers
split:
driver = accept
domains = +relay_sql_domains
condition = ${if and {{!eq {$received_protocol}{split}}{gt
{$recipients_count}{1}}}{yes}{no}}
transport = send_to_self
no_verify
no_address_test
message_checks:
driver = redirect
allow_defer
data = :defer: queued for message checks
no_verify
no_address_test
deliver_clean_smtp:
driver = manualroute
domains = +relay_sql_smtp_domains
transport = remote_smtp
route_data = ${lookup pgsql {ROUTE_QUERY}}
no_more
deliver_clean_lmtp:
driver = manualroute
domains = +relay_sql_lmtp_domains
transport = remote_lmtp
route_data = ${lookup pgsql {ROUTE_QUERY}}
no_more
dnslookup:
driver = dnslookup
domains = ! +local_domains : ! +relay_sql_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
domains = @
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
begin transports
send_to_self:
driver = pipe
batch_max = 1
use_bsmtp
command = /usr/sbin/exim -oMr split -bS
user = exim
remote_smtp:
driver = smtp
delay_after_cutoff = false
remote_lmtp:
driver = smtp
protocol = lmtp
delay_after_cutoff = false
port = 25
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,14d,6h; F,14d,24h
begin rewrite
begin authenticators
PLAIN:
driver = plaintext
server_prompts = :
server_condition = ${if and{ {!eq {$auth2}{}} {!eq {$auth3}{}}\
{bool{${perl{check_password}\
{${lookup pgsql {ORG_CHECK_PLAIN}{$value}}}\
{$auth3}}}\
}\
}\
{yes}{no}}
server_set_id = $2
server_advertise_condition = ${if def:tls_cipher }
LOGIN:
driver = plaintext
server_prompts = "Username:: : Password::"
server_condition = ${if and{ {!eq {$auth1}{}} {!eq {$auth2}{}}\
{bool{${perl{check_password}\
{${lookup pgsql {ORG_CHECK_LOGIN}{$value}}}\
{$auth2}}}}\
}\
{yes}{no}}
server_set_id = $1
server_advertise_condition = ${if def:tls_cipher }
_______________________________________________
http://pledgie.com/campaigns/12056
