Hi There,
I have an Exim server running, and it has been relaying spam....
I cleaned up the spool, updated the Exim version, asked users to change
password and restarted. I didn't find how spamers were able to relay
through my server.
From now, relaying is stopped, but one remain able to relay, here is a
sample line from main.log:
2022-09-26 16:15:24 [10] 1ocotI-00000A-0g <=
#xxxyyyy'uuss+...@grammatico.me H=(localhost) [45.123.190.53] P=esmtpsa
X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxxyyyy'uuss+zzz S=736
2022-09-26 16:15:31 [12] 1ocotI-00000A-0g => xxx.x...@xxxx.info
<xxxx.xxx...@xxxxx.info> R=dnslookup T=remote_smtp H=xxxxxxx.xxxxxxx.xx
[195.141.89.98] X=TLS1.3:TLS_AES_256_GCM_SHA384:25
6 CV=yes K C="250 2.0.0 Ok: 1599 bytes queued as 4MblCR37H1zlq0LZ"
2022-09-26 16:15:31 [12] 1ocotI-00000A-0g Completed
I don't understand why is it relayed, here are extracts from my config:
---------------------------------------------------------------------------------------------------
#List of domains
domainlist local_domains = grammatico.me
#domainlist local_domains = @ : grammatico.me
domainlist relay_to_domains =
hostlist relay_from_hosts = 163.172.165.90
#hostlist relay_from_hosts = localhost : mail.grammatico.me
qualify_domain = grammatico.me
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[#] : ^[.] : ^.*[@%!/|#+]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[#] : ^[./|] : ^.*[@%!#+] : ^.*/\\.\\./
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
accept authenticated = *
control = submission
control = dkim_disable_verify
require message = relay not permitted
domains = +local_domains : +relay_to_domains
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = ${run{/bin/sh -c "echo -e '$auth2\n$auth3' |
/usr/sbin/pwauth"}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
login_server:
driver = plaintext
public_name = LOGIN
server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' |
/usr/sbin/pwauth"}{1}{0}}
server_set_id = $auth1
server_prompts = <| Username: | Password:
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Looks like the user #xxxyyyy'uuss+zzz is authenticated, but for sure it
doesn't exist in my /etc/passwd, neither /etc/shadow
I have similar tentatives which are rejected:
2022-09-26 16:27:01 [48] H=mail.saipan.com (saipan.com) [202.128.0.121]
X=TLS1.2:AES256-GCM-SHA384:256 CV=no F=<> rejected RCPT
<"#xxxyyyy'uuss+...@mail.grammatico.me"@grammatico.me>: Restricted
characters in
address
Any help would be very appreciated.
Thanks and best regards,
--
_/) Eric.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/