Bug#296132: marked as done (exim4-config: suggest sender verification in default config)

Debian Bug Tracking System owner@bugs.debian.org
Sun, 20 Feb 2005 10:03:57 -0800 

Your message dated Sun, 20 Feb 2005 18:58:04 +0100
with message-id <20050220175804.GA21908@lefler.int.l21.ma.zugschlus.de>
and subject line exim4-config: suggest sender verification in default config
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Feb 2005 14:40:15 +0000
>From ejb@ql.org Sun Feb 20 06:40:15 2005
Return-path: <ejb@ql.org>
Received: from lakermmtao05.cox.net [68.230.240.34] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D2sFr-0003pW-00; Sun, 20 Feb 2005 06:40:15 -0800
Received: from gwendolyn ([68.100.122.41]) by lakermmtao05.cox.net
          (InterMail vM.6.01.04.00 201-2131-117-20041022) with ESMTP
          id <20050220143944.WTVZ20274.lakermmtao05.cox.net@gwendolyn>;
          Sun, 20 Feb 2005 09:39:44 -0500
Received: from soup ([10.160.59.17])
	by gwendolyn with esmtp (Exim 4.44)
	id 1D2sFM-00086U-CB; Sun, 20 Feb 2005 09:39:44 -0500
Received: from ejb by soup with local (Exim 4.44)
	id 1D2sFQ-0001xx-SG; Sun, 20 Feb 2005 09:39:48 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Jay Berkenbilt <ejb@ql.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: exim4-config: suggest sender verification in default config
X-Mailer: reportbug 3.7.1
Date: Sun, 20 Feb 2005 09:39:48 -0500
Message-Id: <E1D2sFQ-0001xx-SG@soup>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: exim4-config
Version: 4.44-2
Severity: wishlist

I recently switched from sendmail to exim4 and have been quite happy
with the results.  There is, however, one important feature that is
present in the sendmail default config and not in the Debian exim4
default config: sender domain verification.  On my fairly small site,
we get hit with about one mesasge with an invalid sender domain every
15 seconds.

Adding this to the default config is trivial.  Just add this line in
the main section:

acl_smtp_mail = acl_check_mail

And this stanza:

acl_check_mail:
  accept verify = sender

in the ACL section.  If this is not always enabled, I'd suggest at
least making it an option that comes up during debconf or possibly
just enabling it in any configuration that accepts incoming email from
the Internet.

-- Package-specific info:
Exim version 4.44 #1 built 27-Jan-2005 13:55:35
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages exim4-config depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  debconf [debconf-2.0]       1.4.45       Debian configuration management sy
ii  passwd                      1:4.0.3-30.9 change and administer password and

-- debconf information excluded

-- 
Jay Berkenbilt <ejb@ql.org>

---------------------------------------
Received: (at 296132-done) by bugs.debian.org; 20 Feb 2005 17:58:10 +0000
>From mh+debian-packages@zugschlus.de Sun Feb 20 09:58:10 2005
Return-path: <mh+debian-packages@zugschlus.de>
Received: from 5301d.unt0.torres.l21.ma.zugschlus.de (torres.int.l21.ma.zugschlus.de) [217.151.83.1] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D2vLN-0006XC-00; Sun, 20 Feb 2005 09:58:09 -0800
Received: from lefler.int.l21.ma.zugschlus.de ([192.168.130.38]:38588)
	by torres.int.l21.ma.zugschlus.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1D2vLK-0008L1-8E; Sun, 20 Feb 2005 18:58:06 +0100
Received: from mh by lefler.int.l21.ma.zugschlus.de with local (Exim 4.44)
	id 1D2vLI-0005hS-Vc; Sun, 20 Feb 2005 18:58:04 +0100
Date: Sun, 20 Feb 2005 18:58:04 +0100
From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Jay Berkenbilt <ejb@ql.org>, 296132-done@bugs.debian.org
Cc: Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Re: exim4-config: suggest sender verification in default config
Message-ID: <20050220175804.GA21908@lefler.int.l21.ma.zugschlus.de>
References: <E1D2sFQ-0001xx-SG@soup>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E1D2sFQ-0001xx-SG@soup>
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 296132-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On Sun, Feb 20, 2005 at 09:39:48AM -0500, Jay Berkenbilt wrote:
> Adding this to the default config is trivial.  Just add this line in
> the main section:
> 
> acl_smtp_mail = acl_check_mail
> 
> And this stanza:
> 
> acl_check_mail:
>   accept verify = sender

This is already there, but, however, commented out in the default so
that DNS-less systems do not break. Otoh, it is quite common that
internal systems use illegal senders for status e-mails which we do
not want to reject and therefore lose in the default config.

People wanting sender verification, which is in fact a -very-
effective spam prevention measure are invited to uncomment the three
lines in /etc/exim4/conf.d/30_exim4-config_check_rcpt.

> in the ACL section.  If this is not always enabled, I'd suggest at
> least making it an option that comes up during debconf

This is a non-option for two reasons: First, exim already asks too
many questions. We just cannot make any option configurable via
debconf. The debconf configuration is geared to make the setup work in
the first place, leaving all fine tuning to an editor on the
respective configuration file. Second, the debconf templates are
translated to 40 languages and we cannot afford to break all of these
translations.

> or possibly just enabling it in any configuration that accepts
> incoming email from the Internet.

That is prone to break if DNS is fragile, and that is just to common
to risk the result by default.

Closing the bug. If you come up with a new idea, please re-open.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835