Hardening Cpanel Exim to check if sender email address exists on server
Greetings,
Firstly let me say that what i am about to say is already possible and was told to me by a cpanel tech few years ago but i am unable to find the data how it is done
Issue: when an SMTP authenticated user authenticates with a userid and password he / she is able to use any email address / domain name to send out email from the server. By default there is no check if the email id / sender domain exists on that system or not.
There is / was a way to do this on cpanel and the techs had given me exact place in the exim configuration where i had to place the line.
Unfortunatelt i do not have access to OLD cpanel support communication
Can a cpanel tech or someone please mention where this custom line is added on the Exim Advanced configurations .
What i need is that upon authentication i want to use the same userid / domain name to send out my email. This will help catch spammers and reduce spam to large extent
-
Hello
I did find a text file on my notes and i think the line to be added is as under. Can you guide which section can i put it in.
------------
deny ! sender_domains = lsearch;/etc/localdomains
! domains = lsearch;/etc/localdomains-------------
Content of OLD text file i found is as under. This has to be a straight copy and paste from my earlier communication with a cpanel tech.
#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
deny ! sender_domains = lsearch;/etc/localdomains
! domains = lsearch;/etc/localdomains
[% ACL_RATELIMIT_BLOCK %]
ADDED IN CUSTOM_END_CHECK_MESSAGE_PREcustom_begin_smtp_auth
begin_ratelimit
0 -
Hey there! Your text has the answer to your question at the bottom - there is a CUSTOM_END_CHECK_MESSAGE_PRE box in the Exim Configuration >> Advanced Editor page, so it looks like that's what you need to use.
0 -
when i add the same in custom_end_check_message_pre
these lines, it takes care of the 1st issue that it will not let those emails go out where the sender domain is not hosted on the same server
deny ! sender_domains = lsearch;/etc/localdomains
! domains = lsearch;/etc/localdomainsHowever after doing this the system does not accept any email from the world , so no email from gmail hotmail will come to this system , i can however send mails to them
What am i missing here
0 -
I'm honestly not sure what the customization could be. I see from the screenshot in your current ticket that Stephen mentioned the "check_recipients" ACL as a place to put part of those lines, but if I'm reading that correct this advice was from 2008, so I'm not sure if that is accurate any longer.
You may want to reach out to the Exim users list to see if they have specific recommendations for this behavior.
0 -
I still think my best bet is to find a solution here as the Cpanel users are / atleast used to be a lot more active earlier.
I can understand that this might be out of scope for you but any chance any expert exim administrator at your end would know. this customisation did get carry forwarded to exim 4 because i was using it on the earlier system, just do not know where it was added
0 -
Hello
I found this option in the cpanel Exim advanced configuration
local_from_check By default this is set to FALSE on a cpanel server. I made this as TRUE
Is it possible that this is doing the same functionality. Or this has any other purpose.
0 -
Here are the details from the Exim docs at https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html
"When a message is submitted locally (that is, not over a TCP/IP connection) by an untrusted user, Exim removes any existing Sender: header line, and checks that the From: header line matches the login of the calling user and the domain specified by qualify_domain.
Note: An unqualified address (no domain) in the From: header in a locally submitted message is automatically qualified by Exim, unless the -bnq command line option is used.
You can use local_from_prefix and local_from_suffix to permit affixes on the local part. If the From: header line does not match, Exim adds a Sender: header with an address constructed from the calling user’s login and the default qualify domain.
If local_from_check is set false, the From: header check is disabled, and no Sender: header is ever added. If, in addition, you want to retain Sender: header lines supplied by untrusted users, you must also set local_sender_retain to be true.
These options affect only the header lines in the message. The envelope sender is still forced to be the login id at the qualify domain unless untrusted_set_sender permits the user to supply an envelope sender.
For messages received over TCP/IP, an ACL can specify “submission mode” to request similar header line checking. See section 48.12, which has more details about Sender: processing."
0 -
Buddy can you please let me know in simple english if this is an ok setting to keep or it will cause security problems on the server. In whatever little test i could do ( testing via outlook ) this is doing what i intended to.
0 -
It's completely fine to keep that setting.
0
Please sign in to leave a comment.
Comments
9 comments