Re: [exim] Hit with some kind of hidden multiple recipients relay hack?

Fri, 25 Feb 2022 04:25:23 -0800 

Am 24.02.22 um 22:56 schrieb Henry S. Thompson via Exim-users:

Jeremy Harris via Exim-users <[email protected]> writes:


Start with your log.  How was 1nKNYR-000bDv-0w submitted?

022-02-16 16:53:23
  1nKNYR-000bDv-0w <= [email protected] H=(ogcb16c7f19.openstack local) 
[103.104.169.173] P=esmtp S=1313
  1nKNYR-000bDv-0w H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] 
Network is unreachable
This means, you have an openrelay running, not necessarily on port 25, as the attacker did not use smtp-auth. He has send the mails directly, unencrypted and without an auth from an external system. 

How to fix:


acl_check_data:

  deny    condition  = ${if eq{$authenticated_id}{} {1}{0}}
              domains = ! +local_domains


Explanation: (short version)
if $authenticated_id == "" AND target-domainname NOT IN ( localdomains ) : reject
If the sender did not use smtp-auth to send a message to an external domainname ( which is everything that is not hosted on your server -> local_domain ), 
it wasn't you and you don't want this.
If the sender doesn't use smtp-auth and wants to send it to your domain, you want to accept this message, after the usual spam checks, as it's for you.
If you have anti-spam, anti-virus or other checks, they may need to be expanded for " condition  = ${if eq{$authenticated_id}{} {1}{0}}" as those rules needs to work in the correct context. Changing your config accordingly can be time consuming task, but you need to check every single acl , if it needs an expansion for an empty smtp-auth check or a correctly filled one. 

And you need to advertise for auth and you need a loginvalidator like this:

plain:
 driver = plaintext
 public_name = PLAIN
 server_prompts = :
 server_condition = "${if and { \
                      {!eq{$2}{}} \
                      {!eq{$3}{}} \
                      {eq{1}{    ... check $2 (user) and $3 (pass) against a db or passwdfile ... }" 
 server_set_id = $2
 server_advertise_condition = *

The condition fails if:  user="" or pass="" or  check(user,pass) fails.
The Long version of this can be find in the exim docs under https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html 

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to