Re: how to make sure that anti-relaying is in place

[Wayne Topa <brittman@capital.net>]

Derrick 'dman' Hudson(dman@dman.ddts.net) is reported to have said:
> On Fri, Jul 05, 2002 at 06:45:22PM -0400, Wayne Topa wrote:
> | Derrick 'dman' Hudson(dman@dman.ddts.net) is reported to have said:
> | > On Fri, Jul 05, 2002 at 12:16:24PM -0400, Travis Crump wrote:
> 
> | > set
> | > 
> | > percent_hack_domains = :
> | > 
> | > in your exim.conf to disable that sort of relaying.
> | 
> | Not here dman.
> | 
> | :Relay test: #Test 9
> | >>> mail from: <spamtest@ip-209-23-97-177.modem.logical.net>
> | <<< 250 <spamtest@ip-209-23-97-177.modem.logical.net> is syntactically correct
> | >>> rcpt to: <nobody%mail-abuse.org@[209.23.97.177]>
> | <<< 250 <nobody%mail-abuse.org@[209.23.97.177]> verified
> | >>> QUIT
> | <<< 221 susie closing connection
> | Tested host banner: 220 susie ESMTP Exim 3.35 #1 Fri, 05 Jul 2002 18:40:09 -0400
> | System appeared to accept 1 relay attempts
> | 
> | I added your above suggestion and it stays the same after an exim force-reload.
> 
> Interesting.  I use exim4 now, and my rcpt acl rejects the '%' (and
> other stuff) outright.
> 
> I still have my exim3 configs, so I grabbed a copy of the binary to
> test it :
> 
> $ ./usr/sbin/exim -C exim3.conf -bv 'nobody%mail-abuse.org@[192.168.0.154]'
> nobody%mail-abuse.org@[192.168.0.154] failed to verify:
>   unknown local-part "nobody%mail-abuse.org" in domain "[192.168.0.154]"
> 
> With the exim3 config I used to have, it wouldn't have accepted it.


VT3-Buddy:~# exim -bv '<nobody%mail-abuse.org@[209.23.96.24]>'
nobody%mail-abuse.org@[209.23.96.24] verified

or
VT3 root-3-Buddy:~# exim -bv '<nobody%mail-abuse.org@[192.168.1.3]>'
nobody%mail-abuse.org@[192.168.1.3] verified
and with the mailserver domain.

Actually, any ip address in the above verfies.

That is with the Directive (below) in the exim.conf.
> What does your setup report when you try the '-bv' option?
> 
> | I also changed smtp_verify = true & false and still get Test 9 working.
> | Anything else that I might have wrong?
> 
> I see you're not online right now, otherwise I would try actually
> sending a message to myself through your server.  I recommend actually
> trying the complete delivery, then you'll know for certain whether or
> not your config will bounce the message later as Dave thinks it will.
> 
> 
> If all the valid local parts for your domain are actual local users,
> you can put this director first to exclude any non-valid local parts
> in the first place (this sort of thing is easier in exim4 with the
> ACLs, BTW) :
> 
> # This director matches local user mailboxes.
> verify_local :
>     driver = localuser
> 
>     # only use this director when verifying an address
>     verify_only
> 
>     # if the verification fails, don't continue with the other directors
>     more = false

So the end result is that it still fails test 9

:Relay test: #Test 9
>>> mail from: <spamtest@ip-209-23-98-208.modem.logical.net>
<<< 250 <spamtest@ip-209-23-98-208.modem.logical.net> is syntactically correct
>>> rcpt to: <nobody%mail-abuse.org@[209.23.98.208]>
<<< 250 <nobody%mail-abuse.org@[209.23.98.208]> verified
>>> QUIT


Wayne
-- 
Bad or missing mouse driver. Spank the cat [Y/N]?
_______________________________________________________


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org