HOWTO - Preventing Relaying

Many people want to get a free ride from your system by using it for relaying their mail. This can be due to them being corrupt and wishing to let you take the rap for relaying their junk, or them being lazy and unable to make their own systems work. In any case this is a theft of service and needs to be stopped.

Exim v4.x Relay Control

Exim v4.x has completely different and considerably more flexible mail policy controls than earlier versions. The documentation is also considerable more complete and the default configuration file has a well commented section on relay control (in the RCPT TO ACL. You should instead read the specification section on Access Control Lists.

Exim v3.x Relay Configuration Options

These are fully detailed in the Exim Specification Document. The specific section on relaying is here

1. Firstly you need to specify the local mail domains as tightly as possible. local_domains should only cover domains that really are local - this is relevant since exim allows any sender to mail to these domains (since you have told exim those domains are local you are not actually relaying by sending to them.
2. Any domains that are not finally handled by the local exim, but can legitmately be relayed through (ie domains you act as backup MX for) should be specified in the relay_domains, although a short cut for doing this is setting relay_domains_include_local_mx which can be used to abuse your mail server by adding MXes pointing at you, but raises the bar so much higher than it is normally good enough.
3. You probably want to be able to relay out from local machines on the same network - be careful here since any open machine on your network could be used to do unauthorised relaying. The control of hosts that can relay is done with the host_accept_relay option.

The standard settings for a workstation, allowing relaying through the loopback (since packages such as MH post mail this way), would be:-

relay_domains =
no_relay_domains_include_local_mx
no_relay_match_host_or_sender
host_accept_relay = 127.0.0.1/8

this is actually the default settings other than that for host_accept_relay.

The information to do more complicated manipulations can be found in the specification document and is outside the scope of this note.

$Cambridge$