FolkeHacks - sendercheck for exim-4

sendercheck for exim-4

This is a hack for the exim mta version 4 www.exim.org

When a user sends mail using SMTP you have to be either openrelay (which is absolutely not ok), access can be controlled by sender-ip-address or you can require the user to authenticate itself before he can relay.

That's fine, but do you want that your users can choose their sender-address free?

What you can try is my exim-patch which provides a new acl-option called sendercheck

If a user has authenticated sendercheck looks if the sender-address the user has sent is correct.

How is that checked?
sendercheck takes the sender-address and checks if the user would got emails sent to that address. that's all.

First of all you need to enable authentication. Also pam authentication has to be enabled, or sasl or something.
With pam your authenticators could look like:
begin authenticators

    driver = plaintext
    public_name = PLAIN
    server_condition = \
    ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
    server_set_id = $2

    driver = plaintext
    public_name = LOGIN
    server_prompts = Username:: : Password::
    server_condition = \
    ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
    server_set_id = $1
Then you need to advertise the authenticator(s):
auth_advertise_hosts = *
or only if the user uses SSL encryption (my preferred config, but then you need to configure SSL/TLS first):
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
Then you can put someting like this in your acl (usually the acl_smtp_rcpt acl):
  deny      message         = "Do not fake yout sender address. Change them or authenticate as another user"
            authenticated   = *
I will not explain exim-acl here, you have to be familiar with it.

Patch for exim-4.33: exim-4.33-sendercheck.diff
works also with exim-3.34

Back to FolkeHacks


© 1999-2023 by Folke Ashberg | <>