Disable Exim local relay via Telnet

kevinlevin

• October 19, 2021 15:58

Hello, One of my clients is complaining that he is able to connect to the server via telnet and send a test email to himself (spoofing himself) without authentication. Now I now this is by design but he thinks it is a security risk and someone can spoof him even if the emails are filtered into the spam folder correctly. Can something be done to disable this in Exim? Researching for hours and not finding a solution ... Latest version of cPanel/WHM used.

• 

  cPanelAnthony

  • October 20, 2021 13:48

  Hello! This is just how all mail servers work, not just Exim. When you connect to the server from the same server via telnet or any other method, or you try to send an email to someone on that server, you do not need to authenticate (to that server). If it didn't work this way, email accounts would be unable to accept emails. Exim (and many other MTA's) know when authentication is needed or not. Exim by default is not an open relay. Accepting email to be delivered to a domain on your server means you never require authentication when relaying to your server, no matter where it is from. You only require authentication when relaying *through* your server. Notice "through" your server. That's when authentication is required, but when sending from your server to your server, you are already authenticated. If someone knows two accounts on the server, they can send to them without authentication. But they cannot send to another account on another server through your server. I hope this information helps! Please let me know if you have any further questions.

  0
• 

  kevinlevin

  • October 20, 2021 14:35

  Dear cPanelAnthony, I already know that. However, my customer insisting that someone can on purpose spoof his mail and use this method to spam him without authentication. So what I am asking is if there is a way to always require authentication even locally or at least a method to block such behavior - hard fail on spf for example.

  0
• 

  cPanelAnthony

  • October 20, 2021 15:04

  The short answer is that there would be unfortunately no way to change this behavior. It is inherent within Exim and can't be bypassed. Is your client concerned that just anyone could telnet to the server at any time to send emails? In order for his concern to occur, the person attempting to spoof would already need to have access to the server, or at least, a cPanel account; which means, an account would have to be compromised already.

  0
• 

  kevinlevin

  • October 20, 2021 15:17

  No, the person attempting to spoof needs only to know that an email account exist for example: info@domain.com, after that he can just telnet on mail.domain.com 25 and start sending mails from info@domain.com to info@domain.com or from test@domain.com. No authentication is required. You can test that on any cPanel server - works like a charm and can be easily automated via scripts.

  0
• 

  sparek-3

  • October 20, 2021 16:05

  How do you think Gmail, Hotmail, Yahoo, Comcast, and any other email provider sends emails to the email address? Better shut those services down too because they're a part of this "security hole"

  0
• 

  quietFinn

  • October 20, 2021 21:26

  Anyone with a little knowledge and a decent email client can send emails that seem to come from whatever email address they choose. The sender address can be configured in the email client. You don't need telnet or local relay to do that. I am very often getting emails that seem to come from my own email address.

  0
• 

  cPanelAnthony

  • October 21, 2021 15:17

  As @quietFinn and @sparek-3 stated, this is just a reality of how email works. It is easy for anyone to make an email seem like it comes from another address.

  0

Please sign in to leave a comment.