--On 26 January 2010 18:20:26 +1100 Charlie <[email protected]> wrote:
> Hello, > I am currently providing an email service to a hotel. > All SMTP traffic from the hotel is redirected to my Exim server, which > authenticates it based on the hotel's IP address. That's a very bad idea. It's completely contrary to best practice for Message Submission. What you should do is this: Block outbound port 25 at your firewall - except for your mail server. Require your staff to connect to your message submission service on port 587 with authentication. Don't permit anyone to connect to this port without authenticating. Check that outbound port 587 is open, so that your guests can reach the message submission servers of their domains. Port 587 should always require authentication. Modern email clients will default to port 587. Also leave 465 open for some cranky Microsoft clients. Provide documentation for your guests, in case they need to reconfigure their email clients to use port 587. Or, advise them to use web mail. If you still have people requiring to send email on port 25, you may wish to intercept and relay the traffic, but you should be aware that you may not be able to deliver the email since it WILL look like you are spoofing the sender address. In any event, you should use Exim's rate limiting to limit the number of outbound emails from any local computer. A limit of 100 recipients per day might be suitable. > This all works great, except recently we have found that spammers have > found a way to access a computer within the hotel's network, and have > thus been able to use my server to send emails. You need to remove that computer from service, and thoroughly disinfect it. Also, review your firewall settings to better protect your network. If third parties are using machines on your network to relay email, they could be doing anything with them. > The only means by which I think I can restrict traffic so that it *truly* > comes from within the hotel's IP address, is to make it so that the > emails must have *only one* 'Received: from' header. No, you must require them to authenticate. Clearly you can only do this for your staff. > To further illustrate what I'm talking about, here is a sample header of > a spam email sent through the hotel network (I've changed IP > addresses/server names): > > Received: from [83.22.55.77] (helo=freha.pl) > by myeximserver.com with smtp (Exim 4.69) > (envelope-from <[email protected]>) > id 1NZTrC-000846-N1; Mon, 25 Jan 2010 18:40:15 +0000 > Received: from unknown (156.209.88.22) > by mts.locks.grgtween.net with QMQP; Sat, 23 Jan 2010 20:33:05 -1100 > Received: from mts.locks.grgtween.net ([Sat, 23 Jan 2010 20:21:36 -1100]) > by smtp-server1.cfdenselr.com with ESMTP; Sat, 23 Jan 2010 20:21:36 -1100 > Received: from m1.gns.snv.thisdomainl.com ([14.45.232.93]) by > relay37.vosimerkam.net with NNFMP; Sat, 23 Jan 2010 20:04:57 -1100 > > If the email was truly from just within the hotel's network, it would > only have the header below (i.e. only one 'Received: from' header) > > Received: from [83.22.55.77] (helo=freha.pl) > by myeximserver.com with smtp (Exim 4.69) > (envelope-from <[email protected]>) > id 1NZTrC-000846-N1; Mon, 25 Jan 2010 18:40:15 +0000 > > Any way to do this? -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
