1

Recently I'm receiving (a lot of) spam with "mail from:" from legitimate users (on my server) but a different "Return path". This should not happen for our users, that is, mail received for myuser@mydomain.com should allways have an equal return path "myuser@mydomain.com".

I need to setup an exim4 filter rule that checks for "@mydomain.com" and then checks for the sender email address is the return path. If different, the email should be rejected.

I know there are situations this can be a legitimate use (like using gmail) but these are not allowed by our policy.

Can someone give me a hint where/how to implement this rule?

Thanks

Miguel
  • 13
  • 3

1 Answers1

1

Take a look at exim filters. Basically you need something like (UNTESTED and not sure of the syntax):

if $header_from: contains "@mydomain.com" and $reply_address is not $header_from:
then
    fail 
    seen finish
endif

You can provide a meaningful reject message next to fail as in fail test "some message".

Daniele Santi
  • 2,479
  • 1
  • 25
  • 22
  • Thanks, but I was under the impression that this is only for individual user use, like a file in the user's home directory. Is there a way to set it globally? That would be perfect, because then I could test it on a test user. – Miguel Sep 15 '11 at 12:40
  • @Miguel Sure there is! Search for `system_filter=` in your exim configuration. I have in my cPanel installations: `system_filter=/etc/exim_filter`. – Daniele Santi Sep 15 '11 at 12:55
  • Thanks! That seems to be it, I don't actually have that entry on any file on my `/etc/exim4`. In which file do you have that? is it `sa-exim.conf` (/etc/exim4/sa-exim.conf) ? – Miguel Sep 15 '11 at 13:13
  • @Muguel Seems like you have a *splitted configuration*. Is it a Debian distro? I use exim with cPanel under CentOS so i have only a big `/etc/exim4.conf`. I have the options near the top, probably `/etc/exim4/conf.d/main/02_exim4-config_options` will do. – Daniele Santi Sep 15 '11 at 13:38
  • Yes, it's a split conf, under debian. I will test this, I do have that file. Thanks! – Miguel Sep 15 '11 at 13:43