Mailing List Archive

Mail to self allowed without restrictions
I have an interesting problem I haven't been able to solve. I keep searching
for a solution but I can't seem to find an answer.

Users of my domain are required to authenticate in order to submit email.
Additionally, SPF is enabled and rejects all mail not originating from my MX
server (v=spf1 a mx -all).

I have manually tested both of these policies and they are working as they
should, except in one case: if the MAIL FROM and RCPT TO address are the same,
the mail is accepted without requiring authentication, and without validating
the SPF record. This means some spam gets through by simply claiming to be
from me to me.

Any ideas why Exim does that and how to block it?

--
Al T.
alf@mypals.org



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
On 05/02/2019 05:59, Al T. via Exim-users wrote:
> Any ideas why Exim does that

That depends entirely on your Exim config.
--
Jeremy



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
in acl_mail (before SPF check):

accept
authenticated = *
sender_domains = +local_domains
set acl_m0 = authorizedrelay
deny
message = You can't spoof the domains this server is authorative for
sender_domains = +local_domains


then in acl_data:
deny
message = You can't spoof the MIME From this server is authorative for
condition = ${if match {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}

Den tis 5 feb. 2019 kl 15:37 skrev Al T. via Exim-users <exim-users@exim.org>:
>
> I have an interesting problem I haven't been able to solve. I keep searching
> for a solution but I can't seem to find an answer.
>
> Users of my domain are required to authenticate in order to submit email.
> Additionally, SPF is enabled and rejects all mail not originating from my MX
> server (v=spf1 a mx -all).
>
> I have manually tested both of these policies and they are working as they
> should, except in one case: if the MAIL FROM and RCPT TO address are the same,
> the mail is accepted without requiring authentication, and without validating
> the SPF record. This means some spam gets through by simply claiming to be
> from me to me.
>
> Any ideas why Exim does that and how to block it?
>
> --
> Al T.
> alf@mypals.org
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
On Tue, Feb 05, 2019 at 04:48:46PM +0100, Sebastian Nielsen via Exim-users wrote:
> in acl_mail (before SPF check):
>
> accept
> authenticated = *
> sender_domains = +local_domains
> set acl_m0 = authorizedrelay
> deny
> message = You can't spoof the domains this server is authorative for
> sender_domains = +local_domains
>
>
> then in acl_data:
> deny
> message = You can't spoof the MIME From this server is authorative for
> condition = ${if match {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
> condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}

The $h_from: refers to mail header "From:", but you previously wrote
about MAIL FROM address, which is generally a different thing.

You have better to run Exim with debugging (-d+acl) and study the output.

> Den tis 5 feb. 2019 kl 15:37 skrev Al T. via Exim-users <exim-users@exim.org>...
> > I have manually tested both of these policies and they are working as they
> > should, except in one case: if the MAIL FROM and RCPT TO address are the same,
> > the mail is accepted without requiring authentication, and without validating
> > the SPF record. This means some spam gets through by simply claiming to be
> > from me to me.

--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
My suggested rules covers them both.

The first "deny" blocks mails with spoofed MAIL FROM adress, but the
second deny (that you put in acl_data) blocks mails with spoofed MIME
From. (ergo "From:" header).
Having both is good because some spammers use a "correct" MAIL FROM
but a spoofed "MIME From" that claims the mail was from yourself.

Den tis 5 feb. 2019 kl 17:28 skrev Evgeniy Berdnikov via Exim-users
<exim-users@exim.org>:
>
> On Tue, Feb 05, 2019 at 04:48:46PM +0100, Sebastian Nielsen via Exim-users wrote:
> > in acl_mail (before SPF check):
> >
> > accept
> > authenticated = *
> > sender_domains = +local_domains
> > set acl_m0 = authorizedrelay
> > deny
> > message = You can't spoof the domains this server is authorative for
> > sender_domains = +local_domains
> >
> >
> > then in acl_data:
> > deny
> > message = You can't spoof the MIME From this server is authorative for
> > condition = ${if match {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
> > condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
>
> The $h_from: refers to mail header "From:", but you previously wrote
> about MAIL FROM address, which is generally a different thing.
>
> You have better to run Exim with debugging (-d+acl) and study the output.
>
> > Den tis 5 feb. 2019 kl 15:37 skrev Al T. via Exim-users <exim-users@exim.org>...
> > > I have manually tested both of these policies and they are working as they
> > > should, except in one case: if the MAIL FROM and RCPT TO address are the same,
> > > the mail is accepted without requiring authentication, and without validating
> > > the SPF record. This means some spam gets through by simply claiming to be
> > > from me to me.
>
> --
> Eugene Berdnikov
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
On Tuesday, February 5, 2019 8:47:19 AM MST Jeremy Harris via Exim-users
wrote:
> On 05/02/2019 05:59, Al T. via Exim-users wrote:
> > Any ideas why Exim does that
>
> That depends entirely on your Exim config.

I don't think I have anything crazy in there. Here is my pertinent parts of my
RCPT ACL:


accept authenticated = *
control = submission
control = dkim_disable_verify
control = submission/domain=/name=

require message = relay not permitted
domains = +local_domains : +relay_to_domains

deny message = SPF check failed. $sender_host_address is not allowed \
to send mail for $sender_address_domain. For details see:
\
http://www.openspf.org/Why?
s=mfrom;id=$sender_address;ip=$sender_host_address;r=mail.mypals.org
set acl_m1 = --ip $sender_host_address --helo-id $sender_helo_name \
--id $sender_address
set acl_m1 = ${run{/usr/bin/vendor_perl/spfquery $acl_m1}}
condition = ${if eq {$runrc}{1}{true}{false}}


--
Alberto TreviƱo
alberto@trevino.org



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
Thanks, Sebastian. The first block did exactly what I needed.

On Tuesday, February 5, 2019 8:48:46 AM MST Sebastian Nielsen via Exim-users
wrote:
> in acl_mail (before SPF check):
>
> accept
> authenticated = *
> sender_domains = +local_domains
> set acl_m0 = authorizedrelay
> deny
> message = You can't spoof the domains this server is authorative for
> sender_domains = +local_domains
>
>
> then in acl_data:
> deny
> message = You can't spoof the MIME From this server is authorative for
> condition = ${if match
> {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}} condition = ${if eq
> {$acl_m0}{authorizedrelay}{no}{yes}}
>
> Den tis 5 feb. 2019 kl 15:37 skrev Al T. via Exim-users <exim-
users@exim.org>:
> > I have an interesting problem I haven't been able to solve. I keep
> > searching for a solution but I can't seem to find an answer.
> >
> > Users of my domain are required to authenticate in order to submit email.
> > Additionally, SPF is enabled and rejects all mail not originating from my
> > MX server (v=spf1 a mx -all).
> >
> > I have manually tested both of these policies and they are working as they
> > should, except in one case: if the MAIL FROM and RCPT TO address are the
> > same, the mail is accepted without requiring authentication, and without
> > validating the SPF record. This means some spam gets through by simply
> > claiming to be from me to me.
> >
> > Any ideas why Exim does that and how to block it?
> >
> > --
> > Al T.
> > alf@mypals.org
> >
> >
> >
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/


--
Al T.
alf@mypals.org



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
On Tue, 5 Feb 2019 at 19:02, Sebastian Nielsen via Exim-users <
exim-users@exim.org> wrote:

> in acl_mail (before SPF check):
>
> accept
> authenticated = *
> sender_domains = +local_domains
> set acl_m0 = authorizedrelay
> deny
> message = You can't spoof the domains this server is authorative for
> sender_domains = +local_domains
>
>
> then in acl_data:
> deny
> message = You can't spoof the MIME From this server is authorative for
> condition = ${if match
> {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
> condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
>
>
Hi Sebastian,

failed to expand ACL string "${if match {$h_from:}{^(?i).*<.*@(.*
mydomain.com>\$}{yes}{no}}": regular expression error in "^(?i).*<.*@(.*
mydomain.com>$": *missing ) at offset 30*

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Mail to self allowed without restrictions [ In reply to ]
oo I see now.
Remove the first parenthesis ( from .*

so it becomes
condition = ${if match {$h_from:}{^(?i).*<.*@.*YOUR_DOMAIN_HERE>\$}{yes}{no}}

I did accidentially break the rule when replacing my domain with
"YOUR_DOMAIN_HERE" as I had multiple domains in the rule.
Note that dots in the domain should be prepended with \\ so
mydomain.com becomes mydomain\\.com

Den ons 6 feb. 2019 kl 07:22 skrev Odhiambo Washington via Exim-users
<exim-users@exim.org>:
>
> On Tue, 5 Feb 2019 at 19:02, Sebastian Nielsen via Exim-users <
> exim-users@exim.org> wrote:
>
> > in acl_mail (before SPF check):
> >
> > accept
> > authenticated = *
> > sender_domains = +local_domains
> > set acl_m0 = authorizedrelay
> > deny
> > message = You can't spoof the domains this server is authorative for
> > sender_domains = +local_domains
> >
> >
> > then in acl_data:
> > deny
> > message = You can't spoof the MIME From this server is authorative for
> > condition = ${if match
> > {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
> > condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
> >
> >
> Hi Sebastian,
>
> failed to expand ACL string "${if match {$h_from:}{^(?i).*<.*@(.*
> mydomain.com>\$}{yes}{no}}": regular expression error in "^(?i).*<.*@(.*
> mydomain.com>$": *missing ) at offset 30*
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/