HOME

FolkeHacks - sendercheck for exim-4

sendercheck for exim-4

This is a hack for the exim mta version 4 www.exim.org

When a user sends mail using SMTP you have to be either openrelay (which is absolutely not ok), access can be controlled by sender-ip-address or you can require the user to authenticate itself before he can relay.

That's fine, but do you want that your users can choose their sender-address free?

What you can try is my exim-patch which provides a new acl-option called sendercheck

If a user has authenticated sendercheck looks if the sender-address the user has sent is correct.

How is that checked?
sendercheck takes the sender-address and checks if the user would got emails sent to that address. that's all.

Usage:
First of all you need to enable authentication. Also pam authentication has to be enabled, or sasl or something.
With pam your authenticators could look like:
begin authenticators

fixed_plain:
    driver = plaintext
    public_name = PLAIN
    server_condition = \
    ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
    server_set_id = $2

fixed_login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = Username:: : Password::
    server_condition = \
    ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
    server_set_id = $1
Then you need to advertise the authenticator(s):
auth_advertise_hosts = *
or only if the user uses SSL encryption (my preferred config, but then you need to configure SSL/TLS first):
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
Then you can put someting like this in your acl (usually the acl_smtp_rcpt acl):
  deny      message         = "Do not fake yout sender address. Change them or authenticate as another user"
            authenticated   = *
            !sendercheck
I will not explain exim-acl here, you have to be familiar with it.

Download:
Patch for exim-4.33: exim-4.33-sendercheck.diff
works also with exim-3.34

Back to FolkeHacks



HOME

© 1999-2018 by Folke Ashberg | <>