The Planet Forums > Exim Security

The Planet Forums > Control Panels > cPanel/WHM

funksta

Mar 12 2005, 05:00 AM

Hi All,

I am trying to secure my box as there is something very fishy going off as I can see that mail is being relayed over my server from our business domain that shouldn't be.

I have read through a number of posts now and the ACL section of exim conf file may be messed up, for example I have two listings in it for dictionary attacks. Can someone please have a look and tell me what I need to change if anything.

Thanks

##!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack

drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

# Accept bounces to lists even if callbacks or other checks would fail

warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition =
${if and {{match{$local_part}{(.*)-bounces+.*}}
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}}
{yes}{no}}

accept condition =
${if and {{match{$local_part}{(.*)-bounces+.*}}
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}}
{yes}{no}}

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition =
${if and {{match{$local_part}{(.*)-bounces+.*}}
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}
{yes}{no}}

accept condition =
${if and {{match{$local_part}{(.*)-bounces+.*}}
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts

accept hosts = +relay_hosts

drop dnslists = relays.ordb.org :
sbl-xbl.spamhaus.org :
hil.habeas.com :
list.dsbl.org :
bl.spamcop.net :
dnsbl.njabl.org :
proxies.blackholes.easynet.nl :
dynablock.easynet.nl :
spam.dnsbl.sorbs.net :
korea.services.net :
brazil.blackholes.us :
nigeria.blackholes.us :
argentina.blackholes.us :
malaysia.blackholes.us :
singapore.blackholes.us :
taiwan.blackholes.us

message = your mail server $sender_host_address is in a black list
at $dnslist_domain ($dnslist_text)

require verify = reverse_host_lookup
message = your mail server IP address ($sender_host_address) has no reverse DNS PTR hostname

drop hosts = /etc/exim_deny
message = I don't think so!
log_message = Connection denied from $sender_host_address after dictionary attack

drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient

# Accept bounces to lists even if callbacks or other checks would fail

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to
relay through this server. Perhaps you
have not logged into the pop/imap server in the
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to
relay through this server. Perhaps you
have not logged into the pop/imap server in the
last 30 minutes or do not have SMTP Authentication turned on in your email client.

#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
##### clamav ACL, reject virus infected mails with proper error

deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

deny message = This message contains a virus or other harmful content
($malware_name)
demime = *
malware = *

deny message = Potentially executable content. If you meant to send this file
then please package it up as a zip file and resend it.
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:
msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

# Add X-Scanned Header

warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

##### end clamav ACL
accept

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.