I’ve got a Debian Etch system running Exim4-daemon-heavy.
The system is open to the internet, but the intention is that it will only receive legitimate mail coming from a spam-filtering service, which runs as a proxy ahead of it. (I can’t just limit access to those IPs though, because I do have some authorized users who relay via my server on port 25. I know I should be using 587 – but currently I’m not.)
The general way this works is:
[Internet] -> [SMTP proxy] -> [My Server]
Unfortunately I’ve got spammers sending mail directly to the mailserver, and ignoring the MX record(s). So it seems like my obvious solution is to either:
- Add a header to each processed message at the SMTP proxy.
- Add a header at my server for each incoming message unless the mail is coming from an authorized relayer. (ie. Somebody who has completed SMTP AUTH.)
That way I could use procmail to just junk messages that came direct, via senders who ignored my MX records.
I’m pretty sure that Exim4 could be coerced into adding a header such as ‘X-Submitter: $ip’ – to record the remote IP which submitted the message, but I’m unsure how that should be done.
Be aware that debian repackages exim in a fairly unique way that makes their packaging and mainetance easier but makes using generic rules sometimes not plug in as smoothly.
The correct way to handle this would be to reject mail that is not authorized and not from the proxy IP. Put something like this in your rcpt ACL: