0

I have setup a simple mail server with Exim and Dovecot. Since obviously I don't want to have an open relay server, I want to restrict the access from outside. I figured the following configuration:

  1. Dovecot listens at ports 587 and 993, performs the authentication/authorization with my LDAP server, which works fine.
  2. Exim does not perform any user authentication by itself, only receives external mail and distributes it to users' maildirs. So far so good.
  3. Here is my problem - if I want to send an email, my MUA talks to Dovecot submission module -> it authenticates and authorizes the user -> and relays the email to Exim. In Dovecot I have configured:
    submission_relay_host = 127.0.0.1
    submission_relay_port = 25

and added in Exim the relevant ACL that allows a relay only from localhost, since Dovecot is running on the same machine. Despite the fact I am not using any public IP address in the configuration, still Exim resolves the connection as being made from the public IP of my server, and allows relaying only if I add it to the Exim ACL.

Two questions:

  1. How much of a security issue is if I allow this one public IP to Exim ACL? I can imagine IP-spoofing attack, but the attacker would have to spoof the IP of my server, which I believe would make the communication between two same IPs impossible... Right? Therefore the preferred option:
  2. How can I force Dovecot talk to Exim using a loopback and not public IP? Is it Dovecot figuring out that it should use public IP to talk to Exim, or Exim resolves localhost's IP address to the public one? In /etc/hosts I have only an entry for 127.0.0.1 (localhost) and don't even have the public IP listed with the FQDN...
Bartek
  • 1

1 Answers1

0

You get less problems if you let Exim instead of dovecot listen on Submission port and do the job of transferring mails (use daemon_smtp_ports = 25 : 465 : 587). You can configure Exim to use dovecot for user authentication (on my system in a new file /etc/exim4/conf.d/auth/35_exim4-config_auth_server):

DOVECOT_AUTH_SOCKET = /var/run/dovecot/auth-client
plain:
        driver = dovecot  
        public_name = PLAIN
        server_socket = DOVECOT_AUTH_SOCKET
        server_set_id = $auth1
        server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
[...]

The $tls_in_cipher has been renamed at some point, I believe, please check the docs. Make sure users have to authenticate on submission port (on my system in /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt):

acl_check_rcpt:

 # deny non-authenticated messages on submission port
 deny
    condition = ${if eq{$interface_port}{587}}
    ! hosts         = <; ; 127.0.0.1 ; localhost ; ::1
    ! authenticated = *
    message = Please authenticate on submission port (587)

#[... your checks ...]

 # accept authenticated messages on submission port
 accept
   condition = ${if eq{$interface_port}{587}}
   authenticated = *
   #add_header = X-Submission: true
   control = submission/sender_retain

You need to define the auth listener in Dovecot then (on my system in /etc/dovecot/conf.d/10-master.conf):

  unix_listener auth-client {
    mode = 0660
    user = Debian-exim
  }
Adrian Zaugg
  • 366
  • 3
  • 11