Q5023 - Exim/exim GitHub Wiki
Why does Exim do ident callbacks by default? Isn't this just a waste of resources? I've been told this is an ancient way of authentication. Is it obsolete?
This is a common misunderstanding, at least partially resulting from the
incorrect naming of the protocol when it was first published. The
service on port 113 is an identification service, which allows a target
host to record information identifying the user responsible for making a
connection to it. The information may not be intelligible to the
recording host - it could, for example, be encrypted so that only
someone on the calling host can make sense of it. It is useful for
providing additional information in an audit trail. At least one site
has found ident effective against two rather prevalent kinds of open
proxy (whether already blacklisted at the RBLs or not). An ACL statement
is used to reject mail from servers that return ident strings of
squid
and CacheFlow Server
. Snippets such as this in the RCPT ACL do
the trick:
deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
message = Rejected - appears to be an unsecured proxy: $sender_ident
The likelihood that a genuine mail process would return those specific ident strings is vanishingly small. The ident data should not be used for authentication in any form except on a closed secure network between cooperating hosts (probably not even then). The information from the source host is only as reliable as the host itself. If it's not under your control then you have to treat the information as opaque data that can be used only by the sysadmin of the source system to trace back connection data. Some ident implementations send out opaque cookies or DES encrypted information. Ident is hugely useful at times - especially for checking back on connections from multiuser machines (as opposed to one-person desktop boxes). You can stop Exim making ident calls by adding
rfc1413_query_timeout = 0s
to its configuration, but it is better to leave it active (reducing the timeout to 10s or less if it is causing problems) - it costs very little, and in cases of mail forgery from a multiuser system can track the sinner concerned very quickly.