Exim4 SMTP server allows unauthenticated users to send emails
Remove the *
from dc_relay domains
. This allows anyone to relay. If you are relaying for your local network put its IP-range(s) in dc_relay_nets
.
If you want to allow authenticated users to send mail from anywhere you need an accept rule for authenticated users. The default configuration should include the appropriate rules to bypass checks for authenticated users so that they can send email as if they were on the local network.
If you add AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
to your /etc/exim4/exim4.conf.localmacros
, you will be able to test authentication on an non-secure connection. It is best practice not to allow this as anyone who can sniff the network can obtain your credentials.
You may want to add this macro to enable the submission port for remote users. The submission port is the preferred port for remote submission.
daemon_smtp_ports = 25 : 587
In my default configuration the server-side authenticators are commented out. I have used them successfully for plain text and md5 authentication. Userid and password are the second and third fields.
Related videos on Youtube
Salaros
Updated on September 18, 2022Comments
-
Salaros almost 2 years
I use Debian 7.x amd64 + Exim 4.82 on a dedicated server, I also have a working SMTP server on a shared hosting. I would like to setup an SMTP on my VPS that will have some special delivery scripts/filters (e.g. send a copy of all the out-coming emails for some accounts)
Currently the situation on the VPS is the following:
- it sends local (inbound) email via smart-host without any authentication
- it sends all the outbound email via smart-host without any authentication <== Unwanted behavior
- if the SMTP client has authentication type set to "Normal password" it ask for the credentials and delivers email correctly
- all the above cases behave in the same way with or without TLS encryption enabled on client side
/etc/exim4/update-exim4.conf.conf
dc_eximconfig_configtype='smarthost' dc_other_hostnames='myhost.mycompany.com; localhost' dc_local_interfaces='127.0.0.1; xxx.xxx.xxx.xxx' <=== public IPv4 address dc_readhost='mycompany.com' dc_relay_domains='*' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='smtp.external.com' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='maildir_home'
/etc/exim4/passwd.client
content:*:smtp.external.com:secret
I have generated self-signed certificates and enabled TLS
/etc/exim4/exim4.conf.localmacros
MAIN_TLS_ENABLE = 1
I've tried to use plan_text and plain_login, now I'm using saslauthd (I'm sure it works, because I've already tested it with previously with postfix).
exim -bP authenticator_list
output:plain_saslauthd_server login_saslauthd_server cram_md5 plain login
telnet myhost.mycompany.com 25
output:EHLO test 250-myhost.mycompany.com Hello xxxxxxxxx [xxx.xxx.xxx.xxx] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP ... AUTH PLAIN <random string> 503 AUTH command used when not advertised
I assume that it's because no authenticator is advertised (there is no 250-AUTH... row in EHLO response), but by default ALL the standard authenticators have this condition
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} .endif
So I assume that I have to add
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
to my/etc/exim4/exim4.conf.localmacros
file to get server_advertise_condition condition processed, but it won't be considered anyway if the client doesn't have use TLS encryption enabled (I'm I right?).So I'm a little bit confused on what to do now.. I want my configuration to work as follows:
- local fetchmail (mail) requests are routed locally without any authentication (i.e. cron jobs)
- remote (plain or encrypted, it doesn't matter) requests should work from any destination (my colleagues' laptops) to any other destination (our customers) routing through an external SMTP (smarthost) and MUST require user authentication, therwise it will reject/deny the request
-
Salaros over 10 yearsOK, it's clear, but my colleagues use their laptops everywhere in the world (connecting from hotels, customer offices etc). If put something other than '*' on relay domains will it drop (deny/reject) all the request regardless of their authentication status (because those requests are not coming from "known" networks)
-
BillThor over 10 years@Salaros That check should be after the check for authentication. Once you have authentication working they should be good to go. I require all senders for my domains to send via our server. It works as expected. You may want to add the authentication status to the log message where they are dropped.
-
Salaros over 10 yearsI've just changed dc_relay_domains to 'mydomain.com;alias-domain.com' Made update-exim4.conf and restarted exim4 service, still the same. I'm able to send email from [email protected] without any authentication
-
Salaros over 10 yearsWhat about authentication? How do I force it for "external" usage? It's not advertised (please read the my question again near 'server_advertise_condition')
-
BillThor over 10 yearsIt should only be advertized on TLS connections in the default configuration. I have edited my first answer. Define the macro to get auth advertised on non-secure connections. Remove it once you get auth working.
-
BillThor over 10 yearsTry clearing
dc_relay_domains
. You can update the configuration by running/etc/init.d/exim4 reload
.