-
Notifications
You must be signed in to change notification settings - Fork 178
Q5023
Why does Exim do ident callbacks by default? Isn't this just a waste of resources? I've been told this is an ancient way of authentication. Is it obsolete?
This is a common misunderstanding, at least partially resulting from the
incorrect naming of the protocol when it was first published. The
service on port 113 is an identification service, which allows a target
host to record information identifying the user responsible for making a
connection to it. The information may not be intelligible to the
recording host - it could, for example, be encrypted so that only
someone on the calling host can make sense of it. It is useful for
providing additional information in an audit trail. At least one site
has found ident effective against two rather prevalent kinds of open
proxy (whether already blacklisted at the RBLs or not). An ACL statement
is used to reject mail from servers that return ident strings of
squid and CacheFlow Server. Snippets such as this in the RCPT ACL do
the trick:
deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
message = Rejected - appears to be an unsecured proxy: $sender_ident
The likelihood that a genuine mail process would return those specific ident strings is vanishingly small. The ident data should not be used for authentication in any form except on a closed secure network between cooperating hosts (probably not even then). The information from the source host is only as reliable as the host itself. If it's not under your control then you have to treat the information as opaque data that can be used only by the sysadmin of the source system to trace back connection data. Some ident implementations send out opaque cookies or DES encrypted information. Ident is hugely useful at times - especially for checking back on connections from multiuser machines (as opposed to one-person desktop boxes). You can stop Exim making ident calls by adding
rfc1413_query_timeout = 0s
to its configuration, but it is better to leave it active (reducing the timeout to 10s or less if it is causing problems) - it costs very little, and in cases of mail forgery from a multiuser system can track the sinner concerned very quickly.
- How can I arrange to allow a limited set of users to perform a limited
- I want to tail the Exim log, but I have a number of other logs I also want to tail , and the number of tailing windows is getting to be a nuisance.
- How can I persuade Exim to accept ETRN commands without the leading #
- I've recently noticed that emails I send with a Bcc: line are being
- I used gv 3.5.8 (ghostview) to try printing spec.ps. After every printed page, the printer ejects a blank sheet. Is this something to do with using letter > rather than A4 paper?
- Why aren't there any man pages for Exim? I don't always carry my printed
- When I send a message using the -t command line option, Exim sends
- If I set up a domain list to contain *customer.com, it
- I want to match all domains of the form *.oyoy.org but want a few
- I can't seem to find a pre-built version of Exim anywhere. The machine
- Is there a version of Exim available that runs under Windows?
- Does Exim support Delivery Status Notification (DSN), Message Status
- What does Exim > stand for?
- Although I haven't set
check_spool_space, Exim is still checking the - I just noticed log entries that start off
<= <>. Am I correct in assuming that the<>indicates that the envelope did not contain any From > data? - I've received a message which does not have my address in the To:
- Can (or will) Exim ever handle a message delivery purely in memory, that
- If I am using dbm files for data that Exim reads, can I rebuild them on
- I need an option that is the opposite of -bpa, that is, a listing of
- How can I make Exim receive incoming mail, queue it, but not attempt to
- Does Exim support POP and/or IMAP, or do I have to install something
- Is there an easy way of removing all queued messages at once in a safe
- Why does Exim do ident callbacks by default? Isn't this just a waste
- I often have the problem that a message gets stuck in the mail queue and
- What precautions should I take when editing Exim's run time
- Is exim able to use RFC 2645, On-demand Mail Relay (ODMR)?
- Is there any way I can send bounces to the postmaster, and nobody else?
- When I HUP the Exim daemon, the name shown in the process table changes
- A message with a recipient address that contains a non-printing
- I am using exim in a two queues scenario, with two different
- Why is there no sender address on bounce messages? It shows up as
- Are there any Exim web-based administration scripts?
- How can I send a copy of all outgoing messages to another mailbox?
- Is there any way to make the
queue_onlyoption conditional? I would - Does Exim run with different permissions between -bt and -bh, or
- Can I make Exim stop accepting inbound emails when the queue gets above