Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.

Enable DMARC support on exim

Héctor Luaces shared this idea 4 years ago
Open Discussion

As a cPanel web-hosting provider I would like cPanel's Exim binary to be compiled with DMARC support, so that there's a way to properly enforce DMARC stricter policies on inbound mail.

As of v90, Exim is compiled without DMARC support:

# exim -bV|fgrep -i support
2020-10-29 11:41:15 cwd=/root 2 args: exim -bV
Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PRDR SPF Experimental_SRS
This stops us from using Exim's DMARC validation capabilities [1] to prevent users with a "reject" DMARC policy from receiving mails which fail SPF or DKIM alignment checks. This means that spoofed mails that use their own domains on the "From:" header while keeping the "MailFrom:" on a remote address to bypass auth checks are not actually being rejected.

This is an attack vector that can be (and is being [2]) exploited to launch phishing campaigns against users of a domain impersonating someone from their own domain.

Ideally this should be handled entirely by WHM with a new set of options, but simply adding the DMARC support for Exim would be enough to allow us to set up custom ACLs [3] in order to propery enforce inbound DMARC. This would stop these kind of phishing attempts altogether by rejecting the incoming mail which is not passing alignment checks.

----

[1]: See section 5 of https://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_and_dmarc.html

[2]: as per our own experience, where we detect plenty of phishing attemps using our customer's own domains.

[3]: an example of such ACLs can be found on [1]

Leave a Comment
 
Attach a file