Exim4 Outbound IP address based on web domain IP

ramirojoaquin · September 16, 2019, 8:21am

I have a server with 5 ips and lot of domains hosted in the panel. The domains are equally distributed among the availables IPs.
I am trying to create a function in exim4 config to allow the usage of web domain IP as outbound interface IP. That way, if a domain is infected and starts to send spam, when the IP is added to a blacklist it will only affect the other domains allocated to that IP, leaving the rest of the domains untouched. Its like a way to minimize the impact of an email spam attack. Of course i also have a few extra rules to avoid a hack, but no rule is 100% effective regarding hackers.
What do you think about it?
Do you have any hint on how to acheive that?

Thanks for the amazing work you are doing!!

ramirojoaquin · September 20, 2019, 5:35pm

Just in case someone needs this functionality. This is how i resolve it:

I made the following script that creates a file with a domain: ip mapping:

#!/bin/bash -l

DEFAULT_IP=178.238.238.233
EXIM_DOMAIN_IPS_FILE=/etc/exim4/domainips
HESTIA_USERS_DATA_DIR=/usr/local/hestia/data/users

# First the default ip
echo "*: $DEFAULT_IP" > $EXIM_DOMAIN_IPS_FILE

# Then search for web domains and extract the ip
for USER_DATA_DIR in $HESTIA_USERS_DATA_DIR/*
do
  while IFS="" read -r line || [ -n "$line" ]
  do
    eval $line
    echo "$DOMAIN: $IP" >> $EXIM_DOMAIN_IPS_FILE
  done < $USER_DATA_DIR/web.conf
done

And then in exim conf file, under transports:

remote_smtp:
  driver = smtp
  helo_data = mail.${sender_address_domain}
  dkim_domain = DKIM_DOMAIN
  dkim_selector = mail
  dkim_private_key = DKIM_PRIVATE_KEY
  dkim_canon = relaxed
  dkim_strict = 0
  interface = "${lookup{$sender_address_domain}lsearch*{/etc/exim4/domainips}{$value}}"

Then i configure a cron to run this script every 5 min to keep the list up to date.

Raphael · September 21, 2019, 6:17am

Hi @ramirojoaquin

Welcome to the hestia board and thanks for sharing your script! I’m sorry for the delayed answer.

I’ll check it with out devs, if you allow, we could implement it maybe directly to hestia.

falzo · September 22, 2019, 7:45am

+1

a mapping like this as default, if there are mutliple IPs on the system totally makes sense. I guess if implemented directly with the mail-stack, there should be no need for a cron-script at all

ramirojoaquin · September 22, 2019, 8:06pm

I am glad to help! Of course i allow. It would be very nice to have that feature in Hestia core.
Thanks for the good work!

neven · November 6, 2019, 3:05am

Excellent thank you!

I sugest
# First the default ip
hostname -I | { read default others ; echo "*:" $default; } > $EXIM_DOMAIN_IPS_FILE
to avoid hardcoded IP in the script.

Lupu · November 10, 2019, 5:35am

This feature was added to master and will be available in the next version.