Enable DMARC support on exim
As a cPanel web-hosting provider I would like cPanel's Exim binary to be compiled with DMARC support, so that there's a way to properly enforce DMARC stricter policies on inbound mail.
As of v90, Exim is compiled without DMARC support:
# exim -bV|fgrep -i support 2020-10-29 11:41:15 cwd=/root 2 args: exim -bV Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PRDR SPF Experimental_SRSThis stops us from using Exim's DMARC validation capabilities [1] to prevent users with a "reject" DMARC policy from receiving mails which fail SPF or DKIM alignment checks. This means that spoofed mails that use their own domains on the "From:" header while keeping the "MailFrom:" on a remote address to bypass auth checks are not actually being rejected.
This is an attack vector that can be (and is being [2]) exploited to launch phishing campaigns against users of a domain impersonating someone from their own domain.
Ideally this should be handled entirely by WHM with a new set of options, but simply adding the DMARC support for Exim would be enough to allow us to set up custom ACLs [3] in order to propery enforce inbound DMARC. This would stop these kind of phishing attempts altogether by rejecting the incoming mail which is not passing alignment checks.
----
[1]: See section 5 of https://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_and_dmarc.html
[2]: as per our own experience, where we detect plenty of phishing attemps using our customer's own domains.
[3]: an example of such ACLs can be found on [1]
Replies have been locked on this page!