[Exim] Limited EHLO/HELO checking receipee

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: exim-users
Subject: [Exim] Limited EHLO/HELO checking receipee
In case this is useful to someone:

Unless I'm mistaken, exim's only helo/ehlo check is the full RFC check
(check given hostname vs hostname retrieved via a reverse lookup on the IP)

While it's indeed against the RFC's intent (although not spelled out), there
are reasons why you can get hostnames given in HELO that do not resolve on
the internet (host behind NAT) or that don't match the host that connected
to you (load balancing SMTP servers that helo as a domain but reverse to
their individual hostnames, although I'll agree that one is shaky)

Anyway, the point being that full ehlo checking will reject a fair amount of
legitimate Email.
You can however do a limited check, which will get rid of all the bogus non
domain values that virii and other junk senders give you for HELO

Here's that I wrote:

acl_check_rcpt:
  deny  message   = "HELO/EHLO required by SMTP RFC"
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}


  deny  message   = "Invalid domain or IP given in HELO/EHLO"
       !condition = ${if match{$sender_helo_name}{\\\.}{yes}{no}}



Feel free to reuse

Cheers,
Marc
--
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key