I am having some trouble securing my MX (Exim).
At the moment anyone who telnets to my mail server on port 25 is able to just send an email. I am trying to figure out how to allow outbound traffic only from users that authenticate.
dc_eximconfig_configtype='internet'
dc_other_hostnames='<domain list here>'
dc_local_interfaces='[127.0.0.1]:25; [127.0.0.1]:587; [<ip>]:25; [<ip>]:587'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='true'
dc_relay_nets='<allowed ip list>'
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
On telnet
220 <domain.com> ESMTP Exim 4.94.2 Fri, 21 Jan 2022 22:03:10 +0000
ehlo aaaa
250-<domain.com> Hello aaaa [ip]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN NTLM LOGIN
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
From there I can just use any fake details to send an email. I've tried playing around with ACL as per various SO threads but whatever I do, it either disables all outbound mails or unauth users are not affected.
PS I should add that I am 'trying' to use the dovecot auth mechanism
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
And I do have the corresponding config in dovecot
service auth {
group = mail
unix_listener auth-client {
group = Debian-exim
mode = 0660
user = Debian-exim
}
unix_listener auth-master {
group = mail
mode = 0664
user = mail
}
}
