Mailing List Archive

Block emial from my host to my host without authorization
Hello
How to block sending mail from my host to my host users without authorization, so that in the future there are no such situations
41.56.57.80 is not my ip address

Return-path: <katowice@domain.dot.com>
Envelope-to: katowice@domain.dot.com
Delivery-date: Sat, 19 Jan 2019 09:44:50 +0100
Received: from exim by domain.dot.com with bogodone (Exim 4.91)
(envelope-from <katowice@domain.dot.com>)
id 1gkmFF-0002yr-NK
for katowice@domain.dot.com; Sat, 19 Jan 2019 09:44:50 +0100
Received: from [41.56.57.80]
by domain.dot.com with esmtp (Exim 4.91)
(envelope-from <katowice@domain.dot.com>)
id 1gkmFE-0002ym-UR
for katowice@domain.dot.com; Sat, 19 Jan 2019 09:44:49 +0100
Message-ID: <B7A688EC4A99C22E3F1175D3005BB7A6@ORMX1OT69>
From: <katowice@domain.dot.com>
To: <katowice@domain.dot.com>

regards
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Block emial from my host to my host without authorization [ In reply to ]
> How to block sending mail from my host to my host users without
> authorization, so that in the future there are no such situations
> 41.56.57.80 is not my ip address

> Received: from [41.56.57.80]
> by domain.dot.com with esmtp (Exim 4.91)
> (envelope-from <katowice@domain.dot.com>)
> id 1gkmFE-0002ym-UR
> for katowice@domain.dot.com; Sat, 19 Jan 2019 09:44:49 +0100

You asked this question on a mailing list. Some mailing lists
don't alter envelope-from, so you'd not receive your own messages
back from such mailing lists. Also, the easiest way to test
whether your Exim is working at the moment is to send an email
through it to a forwarder which sends it to your email address.

What you quoted looks like an "I hacked your mailbox" scam
sent from a trojaned home Windows, no RDNS in this instance.
So, I can advise this solution for rcpt ACL:

warn dnslists = cbl.abuseat.org
set acl_m_cbl = 1

deny message = it looks like we did not send this
condition = ${if eqi{$sender_address}{$local_part@$domain}}
!authenticated = *
!hosts = @[]
condition = ${if or{\
{!def:sender_host_name}\
{match{$sender_host_name}{\N(\d{1,3}[-.]){3}\d\N}}\
{def:acl_m_cbl}\
}}
!dnslists = list.dnswl.org!=127.0.0.255 : swl.spamhaus.org


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Block emial from my host to my host without authorization [ In reply to ]
On 19 Jan 2019, at 9:46, Lena--- via Exim-users wrote:

> You asked this question on a mailing list. Some mailing lists
> don't alter envelope-from, so you'd not receive your own messages
> back from such mailing lists.

The implementation of mailing lists by transparent forwarding (e.g. what
you'd get from a single traditional multi-address alias) has always been
a problematic mode of operating a mailing list that serves users in
multiple domains and in the modern world of SPF, DMARC, and widespread
forgery it is unworkable in that it makes the overwhelming majority of
personal mailboxes undeliverable.

What is actually dangerous for trying to block forgeries of local
addresses is to look at the From: header. Modifying that is still not a
dominant behavior of mailing lists and may never be, as it interferes
with behavior people don't want to end.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Block emial from my host to my host without authorization [ In reply to ]
I have done this:

in MAIL FROM acl:

accept
authenticated = *
sender_domains = +local_domains
hosts = +relay_from_hosts
set acl_m0 = authorizedrelay
deny
message = You can't spoof the domains this server is authorative for
sender_domains = ^(?i)(.*\\.sebbe|sebbe)\\.eu\$ : +local_domains
deny
message = Local users must authenticate
hosts = +relay_from_hosts


Description:
The first rule lets authenticated (both correct username/password but
also correct IP) through.Also it sets a variable so it "remembers"
that the user in question is authorized for RCPT and MAIL checks.
I have also enabled so it don't announce AUTH to unauthorized IPs so
its a double-check there.
If not authenticated, the MAIL FROM may not end in "sebbe.eu"
The third rule, that enforces local users in local net to
authenticate, is a Dirty check just to prevent virus/bot software from
mailing.


In RCPT TO acl:

accept
condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}
control = submission/sender_retain
control = dkim_disable_verify
require
message = relay not permitted
domains = +local_domains


Description: This accepts mail that is authorized (in the MAIL stage)
regardless of destination, and also sets submission fixup and DKIM
disable. Else it will reject mails that are not destined for a local
mailbox.

In DATA acl:

deny
message = You can't spoof the MIME From this server is authorative for
condition = ${if match {$h_from:}{sebbe\\.eu}{yes}{no}}
condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
deny
message = Authorized relayed messages MUST have a local MIME From
condition = ${if match {$h_from:}{@sebbe\\.eu>\$}{no}{yes}}
condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}


Description:
This disables local spoofing in MIME from,.
And requires local adress for authorized users, to prevent bot/virus
software from spoofing it, so any breach becomes more traceable.



In addition, I have enabled SPF and made "softfail" and "hardfail"
both end up in a reject, which also puts down on a LOT of spoofing.

Den lör 19 jan. 2019 kl 12:51 skrev S?awomir Dworaczek via Exim-users
<exim-users@exim.org>:
>
> Hello
> How to block sending mail from my host to my host users without authorization, so that in the future there are no such situations
> 41.56.57.80 is not my ip address
>
> Return-path: <katowice@domain.dot.com>
> Envelope-to: katowice@domain.dot.com
> Delivery-date: Sat, 19 Jan 2019 09:44:50 +0100
> Received: from exim by domain.dot.com with bogodone (Exim 4.91)
> (envelope-from <katowice@domain.dot.com>)
> id 1gkmFF-0002yr-NK
> for katowice@domain.dot.com; Sat, 19 Jan 2019 09:44:50 +0100
> Received: from [41.56.57.80]
> by domain.dot.com with esmtp (Exim 4.91)
> (envelope-from <katowice@domain.dot.com>)
> id 1gkmFE-0002ym-UR
> for katowice@domain.dot.com; Sat, 19 Jan 2019 09:44:49 +0100
> Message-ID: <B7A688EC4A99C22E3F1175D3005BB7A6@ORMX1OT69>
> From: <katowice@domain.dot.com>
> To: <katowice@domain.dot.com>
>
> regards
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Block emial from my host to my host without authorization [ In reply to ]
Thank you Sebastian !You rules in only one domainHow modify this rules to exim multidomain ?

regarfs
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/