Exim4 SMTP server allows unauthenticated users to send emails

debian authentication exim smtp-auth

6,494

Remove the * from dc_relay domains. This allows anyone to relay. If you are relaying for your local network put its IP-range(s) in dc_relay_nets.

If you want to allow authenticated users to send mail from anywhere you need an accept rule for authenticated users. The default configuration should include the appropriate rules to bypass checks for authenticated users so that they can send email as if they were on the local network.

If you add AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to your /etc/exim4/exim4.conf.localmacros, you will be able to test authentication on an non-secure connection. It is best practice not to allow this as anyone who can sniff the network can obtain your credentials.

You may want to add this macro to enable the submission port for remote users. The submission port is the preferred port for remote submission.

 daemon_smtp_ports = 25 : 587

In my default configuration the server-side authenticators are commented out. I have used them successfully for plain text and md5 authentication. Userid and password are the second and third fields.

6,494

Salaros

Updated on September 18, 2022

Comments

Salaros almost 2 years
I use Debian 7.x amd64 + Exim 4.82 on a dedicated server, I also have a working SMTP server on a shared hosting. I would like to setup an SMTP on my VPS that will have some special delivery scripts/filters (e.g. send a copy of all the out-coming emails for some accounts)

Currently the situation on the VPS is the following:
- it sends local (inbound) email via smart-host without any authentication
- it sends all the outbound email via smart-host without any authentication <== Unwanted behavior
- if the SMTP client has authentication type set to "Normal password" it ask for the credentials and delivers email correctly
- all the above cases behave in the same way with or without TLS encryption enabled on client side
/etc/exim4/update-exim4.conf.conf
```
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='myhost.mycompany.com; localhost'
dc_local_interfaces='127.0.0.1; xxx.xxx.xxx.xxx' <=== public IPv4 address
dc_readhost='mycompany.com'
dc_relay_domains='*'
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='smtp.external.com'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
```
/etc/exim4/passwd.client content:
```
*:smtp.external.com:secret
```
I have generated self-signed certificates and enabled TLS /etc/exim4/exim4.conf.localmacros
```
MAIN_TLS_ENABLE = 1
```
I've tried to use plan_text and plain_login, now I'm using saslauthd (I'm sure it works, because I've already tested it with previously with postfix).

exim -bP authenticator_list output:
```
plain_saslauthd_server
login_saslauthd_server
cram_md5
plain
login
```
telnet myhost.mycompany.com 25 output:
```
EHLO test
250-myhost.mycompany.com Hello xxxxxxxxx [xxx.xxx.xxx.xxx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
...
AUTH PLAIN <random string>
503 AUTH command used when not advertised
```
I assume that it's because no authenticator is advertised (there is no 250-AUTH... row in EHLO response), but by default ALL the standard authenticators have this condition
```
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
```
So I assume that I have to add AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to my /etc/exim4/exim4.conf.localmacros file to get server_advertise_condition condition processed, but it won't be considered anyway if the client doesn't have use TLS encryption enabled (I'm I right?).

So I'm a little bit confused on what to do now.. I want my configuration to work as follows:
- local fetchmail (mail) requests are routed locally without any authentication (i.e. cron jobs)
- remote (plain or encrypted, it doesn't matter) requests should work from any destination (my colleagues' laptops) to any other destination (our customers) routing through an external SMTP (smarthost) and MUST require user authentication, therwise it will reject/deny the request
Salaros over 10 years

OK, it's clear, but my colleagues use their laptops everywhere in the world (connecting from hotels, customer offices etc). If put something other than '*' on relay domains will it drop (deny/reject) all the request regardless of their authentication status (because those requests are not coming from "known" networks)
BillThor over 10 years

@Salaros That check should be after the check for authentication. Once you have authentication working they should be good to go. I require all senders for my domains to send via our server. It works as expected. You may want to add the authentication status to the log message where they are dropped.
Salaros over 10 years

I've just changed dc_relay_domains to 'mydomain.com;alias-domain.com' Made update-exim4.conf and restarted exim4 service, still the same. I'm able to send email from [email protected] without any authentication
Salaros over 10 years

What about authentication? How do I force it for "external" usage? It's not advertised (please read the my question again near 'server_advertise_condition')
BillThor over 10 years

It should only be advertized on TLS connections in the default configuration. I have edited my first answer. Define the macro to get auth advertised on non-secure connections. Remove it once you get auth working.
BillThor over 10 years

Try clearing dc_relay_domains. You can update the configuration by running /etc/init.d/exim4 reload.