Hello,
The server hosts two mail domains, example. com and test .net.
When accessing smtp from one domain to another, an error is obtained
2023-01-24 10:42:07 H=smtp.mail. com [xx.xx.xxx.xx] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<not@example. com> rejected RCPT < info@test. net>: smtp auth required
This happens because of this policy:
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
If we change this policy:
deny message = smtp auth required
sender_domains = !+local_domains
!authenticated = *
Then mail works and example. com can send mail to test. net
But I don’t understand the meaning of this policy.
Changing this policy makes the server vulnerable from the outside, or it only affects the behavior of the server’s mail domains.
On the forum I found a record that an open relay will turn out.
On the server between domains mail goes.
It turns out that the letter is sent from another mail server with a different email address, but [email protected] is substituted in the header. Such a letter should go to the [email protected] mailbox. But it does not get there, since the policy from my first post prohibits it.
So I want to understand how this policy works:
deny message = smtp auth required
sender_domains = +local_domains
!authenticated = *
and what can threaten the server if it is changed to:
deny message = smtp auth required
sender_domains = !+local_domains
!authenticated = *
I’m also not having any problems sending mail between local domains on the same machine.
The config lines you mention come in the acl_check_rcpt block. I wonder where exim thinks its sending things. Try “exim -bt [email protected]” and it will tell you what its trying to do. There may be a clue.
In the headers of the letter I see the following information
Received: from smtp.mail. com([xx.xx.xxx.xx])
by test.net with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1)
(envelope-from <not@example. com>)
id 1pIZ9b-jse13x8-1z
for info@test. net; Thu, 19 Jan 2023 20:56:47 +0300
To: info@test. net
Address spoofing envelope-from <not@example. com>
but these are all legitimate servers and such a substitution is necessary.