logs archiveIRC Archive / Freenode / #exim / 2015 / August / 19 / 1
guyz
in exim how do i configure to send authenticated mail only?
i'm having issues where a php script can send mail via phpmailer and i want to only allow authenticated mail to leave my server
ping or memo me
henk
guyz: write your ACLs accordingly
donguston
guyz,
disable mail function and require people to use smtp
jgh_
if that's supposed to be a "how can I?" question, it's ambiguous. Perhaps you should explain your problem
MASHtm
jgh_: i found at least one major fault for split_spool_directory
jgh_
another bug?
MASHtm
now.... in the code we talk about for bug 1671
s/now/no/
jgh_
aha
MASHtm
exim-4.86/src/transport.c:1755 .... new_message_id[5] is undefined... must be msgq[i].message_id[5]
what i do not understand currently is why the following Ustat doesn't prevent the call to oicf_func
         

jgh_
I take it that you run split-spool?
wait, with split-spool is it not correct to be only searching within the split? That's what the current coding would do
MASHtm
it tries that. but new_message_id[5] is the _old_ code. the new code uses msgq[i].message_id instead of new_message_id
IMO it is a leftover
jgh_
so new_message_id isn't set as per the header comment?
MASHtm
it is set, but afterwards (some lines below with Ustrcpy) in a if clause.... and used at the end of the function again.
usage for building spool_file is wrong IMO
jgh_
comment at head of func says it is set in func arguments
MASHtm
maybe. but it is still not the correct message id to build the path for msgq[i].message_id
jgh_
what's wrong with it? It defines a split-spool subdirectory
MASHtm
but the Directory name is derived from new_message_id[5] instead of msgq[i].message_id[5] ... which is wrong in almost all cases
jgh_
it gives a filename to look for, which can only be there if the message is in the right split (as well as still being around). I'll admit that the stat call could be avoided by a 1-character compare - but it's not obviously buggy
MASHtm
if i want to build the spool_path for msgq[i].message_id I have to use msgq[i].message_id[5] as foldername and not the value from new_message_id[5] which can be anything from up to an undefined buffer containing "0" bytes!
see smtp_deliver() in transports/smtp.c which defines the empty buffer and calls transport_check_waiting() with the pointer
sinces this is a "0" byte the string in spool_file gets short and the stat succeeds on the directory only! which is the reason for the troubles following up IMO
jgh_
aha - so I was misreading that fn header comment
it really means "the message_id will be returned here"
MASHtm
the function header comment was not changed by the patch BTW and contains exactly the same info as 4.85
jgh_
do you run split? can you run a test with that fix?
MASHtm
i will sum this up and post a comment to the patch
jgh_
cool
MASHtm
yes, i always tun split directory
s/tun/run/
bjornar
How do I send agruments to an acl ($acl_argX) when called with acl = foo? acl=foo arg1 arg2 .. or acl=foo{arg1}{arg2} ?
MASHtm
ok, patched version running here now
jgh_
bjornar: http://exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html section 26 the acl= condition
bjornar
jgh_, yes.. but it is not stated how the arguments are sent.
         

jgh_
"up to nine space-separated optional values can be appended"
bjornar
with ${acl{acl_name}{arg1}{arg2}} it is obvious
jgh_, ok..
jgh_, but how will this work when $sender_address is the first parameter and expands to nothing (bounce)
jgh_
try "$sender_address"; run a test under debug to see how it deals with it (or just put logwrites in to see what args you get)
bjornar
ja
jgh_
but also, it might work without... the "expanded separately" implies that
guyz
so i'm trying to setup my exim to only allow authenticated mail to leave the server, but i'm not quite sure how to do that.. currently the problem being is a php script can send spam without authenticating (i'm assuming i'm an open relay when local). And php mail() is already disabled so that's not the problem
henk
show a log entry?
jgh_
test $authenticated_id in your outbound transports (probably, any smtp ones) - and do recipient verification
actually, $sender_host_authenticated might be better
guyz
henk:: i don't have a log entry that i can find. I have the headers of the spam email with a message id and various other stuff but can't find it in my logs
henk
guyz: Then possibly the php script sends the mail itself directly to the target server, not via exim on the machine its running on.
jgh_
does it have a received-by: header that matches your exim config?
henk
guyz: I can only think of two other reasons you wouldnt find it in the logs: 1. your log is incomplete, 2. you fail to read your logs. Both of which I consider unlikely &
guyz
i have in the header authentication-results: hotmail.com; spf=pass (sender ip is xxx) smtp.mailfrom=someuser@domainonmyserver.com; dkim=none
and x-mailer: phpmailer
henk
that header does not mean anything and one of the features of phpmail is Ā»Integrated SMTP support - send without a local mail serverĀ«
guyz
the recived: is just from domainonmysystem.com (myip) by hotmail with microsoft
so if not exim, what should i be locking down on my system to prevent this situation?
jgh_
delete php!
henk
Dont allow people to run their software on your system & Probably not what you want to hear.
guyz
well it was a compromised wordpress site
henk
+1, getting rid of php is in so many ways a good idea! Youd also get rid of wordpress that way, which is an even better idea!
guyz
yea then that gets rid of food on my table basicalyl
jgh_
apart from regular updates, or running in a VM that disallows all port-25... can't think of much
guyz
i still want legitimate authenticated mail to leave the server, just not random stuff
henk
well, learn something worthwhile before you do it then. Hosting PHP-crap certainly isnt something worth doing &
jgh_
feed it out on a custom port to a separate exim
henk
the world (wide web) would be a much better place without php &
jgh_
on a separate system, maybe the host for this VM
henk
587 would be a good choice when AUTH is to be used anyway
bjornar
Seems like exims ${if or{]} .. does not stop when it has a true
jgh_
it certainly should do; please run under debug to check, and raise a bug if verified
but note there's a difference between "stop evluation" and "stop syntax-checking"
bjornar
yeah..
so if I have if or ${lookup .. .. multiple lookups .. I want it to stop doing lookups if the first one is true
jgh_
if the remainder are still syntactically correct, that is what you should get
bjornar
can I redefine a MACRO in a acl?
jgh_
yes, but the new definition has rest-of-file scope
http://exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_run_time_configuration_file.html#SECID43
boubou
okkkk
anyone have a good how to install exim4 ?
Google listed me many many but often, there arent up to date
old topo
jgh_
since you call it that, you're on Deb?
jhutchins
How do I keep exim from routing local mail through the smarthost?
ie mail from me@mydomain.org to valid@mydomain.org shouldn't go through the smarthost.
Looks like I used commas instead of semicolons in the localdomains list.
noz
Hi. I'm getting silent failures of 'exim4 -bV config.tmp'. It prints all the usual bits, doesn't print the final "Configuration file is ..." and exits with $? = 1. Any ideas why it might do this?
henk
noz: yes, what do you think that command does? what is config.tmp exactly?
boubou: 'good howto' is an oxymoron. You should just read the docs on how to use your OS, especially the part about installing software, and the exim docs.
notkoos
noz: are you looking for exim -bV -C config.tmp ? ;)
« prev next »