Pkg exim4 users - Oct 2005 - authenticated ACL

In the check recipient ACL of the stock Debian configuration
(30_exim4-config_check_rcpt), the test for authentication of the
incoming SMTP connection (accept authenticated = *) is run next to last,
right before the final "deny message = relay not permitted" stanza in
the ACL. Why does the authentication test run so late in the ACL?

In particular, I use the DNSBL check, which runs earlier in the
check_rcpt ACL, as a blocklist. Because the authentication test runs
later, incoming mail from an authenticated SMTP connection will be
blocked if the sender is listed in the DNSBL blacklist.

Will I break anything if I move the test for SMTP authentication to the
beginning of the ACL?


-- 
Richard Doyle <rdoyle@islandnetworks.com>

On 2005-10-28 Richard Doyle <rdoyle@islandnetworks.com>
wrote:
> In the check recipient ACL of the stock Debian configuration
> (30_exim4-config_check_rcpt), the test for authentication of the
> incoming SMTP connection (accept authenticated = *) is run next to last,
> right before the final "deny message = relay not permitted"
stanza in
> the ACL. Why does the authentication test run so late in the ACL?
Hello,
I cannot remember, I guess it simply grew.
> In particular, I use the DNSBL check, which runs earlier in the
> check_rcpt ACL, as a blocklist. Because the authentication test runs
> later, incoming mail from an authenticated SMTP connection will be
> blocked if the sender is listed in the DNSBL blacklist.
> Will I break anything if I move the test for SMTP authentication to the
> beginning of the ACL?
I think moving it to the beginning of the ACL is no good idea, there
is a number of checks where special-casing of relayed messages does not
make sense, e.g.

- accepting undeliverable mail.
- accepting blacklisted from. (e.g. viruses)
etc.

I''d suggest moving accept authenticated = * after

.ifdef CHECK_RCPT_REVERSE_DNS
...
.endif

Thoughts?

BTW, I wonder whether we should add
control = submission/sender_retain
to the ''accept authenticated = *'' statement.[1]
             cu andreas

[1] I do not know by heart whether
accept 
       authenticated = *
       control = submission/sender_retain

would work or whether we would need two statements instead.

warn 
     authenticated = *
     control = submission/sender_retain

accept 
     authenticated = *
-- 
The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is
a personal
vision of the emperor''s, and its inclusion in this work does not
constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

Hi,

On Sat, Oct 29, 2005 at 11:10:30AM +0200, Andreas Metzler
wrote:
> On 2005-10-28 Richard Doyle <rdoyle@islandnetworks.com> wrote:
> > In the check recipient ACL of the stock Debian configuration
> > (30_exim4-config_check_rcpt), the test for authentication of the
> > incoming SMTP connection (accept authenticated = *) is run next to
last,
> > right before the final "deny message = relay not permitted"
stanza in
> > the ACL. Why does the authentication test run so late in the ACL?
> 
> Hello,
> I cannot remember, I guess it simply grew.
It is that way in upstream''s default configure file from where we
originally started. Especially the rcpt acl has been severely modified
since then.
> > In particular, I use the DNSBL check, which runs earlier in the
> > check_rcpt ACL, as a blocklist. Because the authentication test runs
> > later, incoming mail from an authenticated SMTP connection will be
> > blocked if the sender is listed in the DNSBL blacklist.
> 
> > Will I break anything if I move the test for SMTP authentication to
the
> > beginning of the ACL?
> 
> I think moving it to the beginning of the ACL is no good idea, there
> is a number of checks where special-casing of relayed messages does not
> make sense, e.g.
> 
> - accepting undeliverable mail.
> - accepting blacklisted from. (e.g. viruses)
> etc.
Agreed.
> I''d suggest moving accept authenticated = * after
> 
> .ifdef CHECK_RCPT_REVERSE_DNS
> ...
> .endif
> 
> Thoughts?
Tony''s configuration from cambridge does sender verification after
accepting authenticated senders, so that authenticators senders
receive a bounce to their inbox instead of having the message rejected
(and the SMTP error message probably hidden from them by their
"user-friendly" MUA). I am not sure whether we should go with
Tony''s
idea which surely is appropriate for the University.
> BTW, I wonder whether we should add
> control = submission/sender_retain
> to the ''accept authenticated = *'' statement.[1]
Since we set local_from_check = false and local_sender_retain = true
globally by default, setting submission/sender_retain is a no-op for
our default configuration.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On 2005-10-30 Marc Haber <mh+pkg-exim4-users@zugschlus.de>
wrote:
> On Sat, Oct 29, 2005 at 11:10:30AM +0200, Andreas Metzler wrote:
[...]
> > BTW, I wonder whether we should add
> > control = submission/sender_retain
> > to the ''accept authenticated = *'' statement.[1]
> Since we set local_from_check = false and local_sender_retain = true
> globally by default, setting submission/sender_retain is a no-op for
> our default configuration.
[imagine me consulting the documentation]
[...]
eh. no. ;-)

Neither local_from_check = false nor local_sender_retain = true *add*
missing Message-ID and Date headers to messages submitted by
authenticated SMTP, which is what
control = submission/sender_retain
is supposed to do.
                 cu andreas
-- 
The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is
a personal
vision of the emperor''s, and its inclusion in this work does not
constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde

On Sun, Oct 30, 2005 at 06:16:54PM +0100, Andreas Metzler
wrote:
> Neither local_from_check = false nor local_sender_retain = true *add*
> missing Message-ID and Date headers to messages submitted by
> authenticated SMTP, which is what
> control = submission/sender_retain
> is supposed to do.
I now understand what you mean. Yes, I agree that this should be added.

My suggestion for the new acl file is attached, and I have even
rudimentarily tested it. Please comment.

Greetings
Marc


### acl/30_exim4-config_check_rcpt
#################################

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:
  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept
    hosts = :


  # The following section of the ACL is concerned with local parts that contain
  # certain non-alphanumeric characters. Dots in unusual places are
  # handled by this ACL as well.
  #
  # Non-alphanumeric characters other than dots are rarely found in genuine
  # local parts, but are often tried by people looking to circumvent
  # relaying restrictions. Therefore, although they are valid in local
  # parts, these rules disallow certain non-alphanumeric characters, as
  # a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when
applied to
  # a name without a second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # Two different rules are used. The first one has a quite strict
  # default, and is applied to messages that are addressed to one of the
  # local domains handled by this host.
  # If you have local accounts that include strange characters, you can
  # use the macro provided to change the ACL range or to disable the
  # check completely.
  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif


  # The second rule applies to all other domains, and its default is
  # considerably less strict.
  .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  deny
    domains = !+local_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif


  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  #
  accept
    .ifndef CHECK_RCPT_POSTMASTER
    local_parts = postmaster
    .else
    local_parts = CHECK_RCPT_POSTMASTER
    .endif
    domains = +local_domains : +relay_to_domains


  # deny bad senders (envelope sender)
  # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  # should have their access denied to the local host. Incoming messages
  # with one of these senders are rejected at RCPT time.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See /usr/share/doc/exim4-config/default_acl for details.
  deny
    message = sender envelope address $sender_address is locally blacklisted
here. If you think this is wrong, get in touch with postmaster
    !acl = acl_whitelist_local_deny
    senders = ${if exists{CONFDIR/local_sender_blacklist}\
                   {CONFDIR/local_sender_blacklist}\
                   {}}


  # deny bad sites (IP address)
  # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  # and networks (CIDR notation)  that should have their access denied to
  # The local host. Messages coming in from a listed host will have all
  # RCPT statements rejected.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See /usr/share/doc/exim4-config/default_acl for details.
  deny
    message = sender IP address $sender_host_address is locally blacklisted
here. If you think this is wrong, get in touch with postmaster
    !acl = acl_whitelist_local_deny
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}


  # Deny unless the sender address can be verified.
  #
  # This is disabled by default so that DNSless systems don''t break. If
  # your system can do DNS lookups without delay or cost, you might want
  # to enable this feature.
  .ifdef CHECK_RCPT_VERIFY_SENDER
  deny
    message = Sender verification failed
    !acl = acl_whitelist_local_deny
    !verify = sender
  .endif

  # For some sender domains, we do callout to verify if a sender
  # exists.
  deny
    !acl = acl_whitelist_local_deny
    senders = ${if exists{CONFDIR/local_sender_callout}\
                         {CONFDIR/local_sender_callout}\
                   {}}
    !verify = sender/callout


  # For some recipient domains, we do callout to verify if a recipient
  # exists. This is especially handy for customers that receive a lot of
  # spam to non-existent addresses.
  deny
    !acl = acl_whitelist_local_deny
    recipients = ${if exists{CONFDIR/local_rcpt_callout}\
                            {CONFDIR/local_rcpt_callout}\
                      {}}
    !verify = recipient/callout


  # Warn if the sender host does not have valid reverse DNS.
  # 
  # If your system can do DNS lookups without delay or cost, you might want
  # to enable this.
  # If sender_host_address is defined, it''s a remote call.  If
  # sender_host_name is not defined, then reverse lookup failed.  Use
  # this instead of !verify = reverse_host_lookup to catch deferrals
  # as well as outright failures.
  .ifdef CHECK_RCPT_REVERSE_DNS
  warn
    message = X-Host-Lookup-Failed: Reverse DNS lookup failed for
$sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
     condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
                      {yes}{no}}
  .endif


  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted.
  #
  accept
    authenticated = *
    control = submission/sender_retain


  # Check against classic DNS "black" lists (DNSBLs) which list
  # sender IP addresses
  .ifdef CHECK_RCPT_IP_DNSBLS
  warn
    message = X-Warning: $sender_host_address is listed at $dnslist_domain
($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain
($dnslist_value: $dnslist_text)
    dnslists = CHECK_RCPT_IP_DNSBLS
  .endif


  # Check against DNSBLs which list sender domains, with an option to locally
  # whitelist certain domains that might be blacklisted. If you want one
  # blacklist per domain, you need to replicate the stanza for each DNSBL.
  .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  warn
    message = X-Warning: $sender_address_domain is listed at $dnslist_domain
($dnslist_value: $dnslist_text)
    log_message = $sender_address_domain is listed at $dnslist_domain
($dnslist_value: $dnslist_text)    !senders = ${if
exists{CONFDIR/local_domain_dnsbl_whitelist}\
                    {CONFDIR/local_domain_dnsbl_whitelist}\
                    {}}
    dnslists = CHECK_RCPT_DOMAIN_DNSBLS/$sender_address_domain
  .endif


  # This hook allows you to hook in your own ACLs without having to
  # modify this file. If you do it like we suggest, you''ll end up with
  # a small performance penalty since there is an additional file being
  # accessed. This doesn''t happen if you leave the macro unset.
  .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif


  # Accept if the address is in a local domain, but only if the recipient can
  # be verified. Otherwise deny. The "endpass" line is the border
between
  # passing on to the next ACL statement (if tests above it fail) or denying
  # access (if tests below it fail).
  #
  accept
    domains = +local_domains
    endpass
    message = unknown user
    verify = recipient


  # Accept if the address is in a domain for which we are relaying, but again,
  # only if the recipient can be verified.
  #
  # If you want to use the more conservative "unknown user" error
  # message in case of a non-existing local part, you might want to
  # set CHECK_RCPT_GIVE_UNKNOWN_USER. However, this might reveal
  # local information, which is the cause for it not being enabled by
  # default.
  accept
    domains = +relay_to_domains
    endpass
    .ifdef CHECK_RCPT_GIVE_UNKNOWN_USER
    message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown
user}{$acl_verify_message}}
    .else
    message = unrouteable address
    .endif
    verify = recipient


  ############
  # If control reaches this point, the domain is neither in +local_domains
  # nor in +relay_to_domains.
  ############

  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. Recipient verification is omitted here, because in many
  # cases the clients are dumb MUAs that don''t cope well with SMTP
error
  # responses. If you are actually relaying out from MTAs, you should probably
  # add recipient verification here.
  #
  accept
    hosts = +relay_from_hosts
    control = submission/sender_retain


  # Reaching the end of the ACL causes a "deny", but we might as well
give
  # an explicit message.
  #
  deny
    message = relay not permitted


-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber <mh+pkg-exim4-users@zugschlus.de>
wrote:
>
>Tony''s configuration from cambridge does sender verification after
>accepting authenticated senders, so that authenticators senders
>receive a bounce to their inbox instead of having the message rejected
>(and the SMTP error message probably hidden from them by their
>"user-friendly" MUA). I am not sure whether we should go with
Tony''s
>idea which surely is appropriate for the University.
Er, that''s a rather mangled description.

When acting as an outgoing relay, my servers do sender verification but
not recipient verification, which has the effect you describe.  (They have
to do sender verification so they have somewhere to send the bounce!)

The default Exim configuration now does something like the following,
which is about right for a server which can act both as an MX and as an
outgoing relay.

  accept  local_parts   = postmaster
          domains       = +local_domains

  require verify        = sender

  accept  hosts         = +relay_from_hosts
  accept  authenticated = *

  # anti-spam checks

  require verify        = recipient

  accept  domains       = +local_domains
  accept  domains       = +relay_to_domains

  deny    message       = relay not permitted

Tony.
-- 
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
ARDNAMURCHAN POINT TO CAPE WRATH INCLUDING THE OUTER HEBRIDES: SOUTH OR
SOUTHWEST 6 TO GALE 8. RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD. ROUGH OR
VERY ROUGH, PERHAPS HIGH AT FIRST WEST OF THE OUTER HEBRIDES.

On Mon, Oct 31, 2005 at 11:43:56AM +0000, Tony Finch
wrote:
> Marc Haber <mh+pkg-exim4-users@zugschlus.de> wrote:
> >Tony''s configuration from cambridge does sender verification
after
> >accepting authenticated senders, so that authenticators senders
> >receive a bounce to their inbox instead of having the message rejected
> >(and the SMTP error message probably hidden from them by their
> >"user-friendly" MUA). I am not sure whether we should go with
Tony''s
> >idea which surely is appropriate for the University.
> 
> Er, that''s a rather mangled description.
I apologize for misreading. 
> The default Exim configuration now does something like the following,
> which is about right for a server which can act both as an MX and as an
> outgoing relay.
> 
>   accept  local_parts   = postmaster
>           domains       = +local_domains
> 
>   require verify        = sender
> 
>   accept  hosts         = +relay_from_hosts
>   accept  authenticated = *
> 
>   # anti-spam checks
> 
>   require verify        = recipient
> 
>   accept  domains       = +local_domains
>   accept  domains       = +relay_to_domains
> 
>   deny    message       = relay not permitted
That will keep relayed messages from being subject to the anti-spam
checks, which might be desireable, or not, depending on the setup and
structure of the relay_from_hosts. Generally, not relaying for
knowingly compromised hosts would be a good idea, IMO.

Oh, btw, would it be possible to publish ppswitch''s configuration in a
greppable form? The PDF of your excellent paper is rather clumsy to
handle in cases like this when it needs to serve as external reference.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber <mh+pkg-exim4-users@zugschlus.de>
wrote:
>
>Oh, btw, would it be possible to publish ppswitch''s configuration
in a
>greppable form? The PDF of your excellent paper is rather clumsy to
>handle in cases like this when it needs to serve as external reference.
Good idea.

I will probably be preparing an update to the paper once the current
set of changes has settled down. I have significantly improved the
domain lists, routers, and some aspects of the parametrization.

Tony.
-- 
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
EAST NORTHERN SECTION: CYCLONIC 6 TO GALE 8, DECREASING 4 OR 5, BECOMING
NORTHEASTERLY 6 OR 7 IN THE SOUTH. RAIN OR SHOWERS. MODERATE OR GOOD.