Hi There,

I have an Exim server running, and it has been relaying spam....

I cleaned up the spool, updated the Exim version, asked users to change password and restarted. I didn't find how spamers were able to relay through my server.

From now, relaying is stopped, but one remain able to relay, here is a sample line from main.log:

2022-09-26 16:15:24 [10] 1ocotI-00000A-0g <= #xxxyyyy'uuss+...@grammatico.me H=(localhost) [45.123.190.53] P=esmtpsa X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxxyyyy'uuss+zzz S=736 2022-09-26 16:15:31 [12] 1ocotI-00000A-0g => xxx.x...@xxxx.info <xxxx.xxx...@xxxxx.info> R=dnslookup T=remote_smtp H=xxxxxxx.xxxxxxx.xx [195.141.89.98] X=TLS1.3:TLS_AES_256_GCM_SHA384:25
6 CV=yes K C="250 2.0.0 Ok: 1599 bytes queued as 4MblCR37H1zlq0LZ"
2022-09-26 16:15:31 [12] 1ocotI-00000A-0g Completed


I don't understand why is it relayed, here are extracts from my config:

---------------------------------------------------------------------------------------------------

#List of domains

domainlist local_domains = grammatico.me
#domainlist local_domains = @ : grammatico.me
domainlist relay_to_domains =
hostlist   relay_from_hosts = 163.172.165.90
#hostlist   relay_from_hosts = localhost : mail.grammatico.me


qualify_domain = grammatico.me


deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[#] : ^[.] : ^.*[@%!/|#+]

deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[#] : ^[./|] : ^.*[@%!#+] : ^.*/\\.\\./

accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify


accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify


require message = relay not permitted
          domains = +local_domains : +relay_to_domains


plain_server:
  driver                     = plaintext
  public_name                = PLAIN
  server_condition = ${run{/bin/sh -c "echo -e '$auth2\n$auth3' | /usr/sbin/pwauth"}{1}{0}}
  server_set_id              = $auth2
  server_prompts             = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif


login_server:
  driver                     = plaintext
  public_name                = LOGIN
  server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' | /usr/sbin/pwauth"}{1}{0}}
  server_set_id              = $auth1
  server_prompts             = <| Username: | Password:
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Looks like the user #xxxyyyy'uuss+zzz is authenticated, but for sure it doesn't exist in my /etc/passwd, neither /etc/shadow

I have similar tentatives which are rejected:

2022-09-26 16:27:01 [48] H=mail.saipan.com (saipan.com) [202.128.0.121] X=TLS1.2:AES256-GCM-SHA384:256 CV=no F=<> rejected RCPT <"#xxxyyyy'uuss+...@mail.grammatico.me"@grammatico.me>: Restricted characters in
 address

Any help would be very appreciated.

Thanks and best regards,

--
_/) Eric.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to