Re: [Exim] Blocking incessant relay testers with Exim 4

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Dave C.
CC: exim-users
Subject: Re: [Exim] Blocking incessant relay testers with Exim 4
On Mon, 17 Jun 2002, Dave C. wrote:

> > ... then drops the connection. That's all it can do. True "blocking" has
> > to happen before the connection gets to Exim, that is, in a router or in
> > the host's TCP/IP stack, or using TCPWrappers or similar.
>
> Currently, there is no way to do this based on a dnsbl lookup in exim4
> (that I can tell).
>
> How hard would it be to add an "acl_smtp_call" ?


Easy enough, but it doesn't really help. The connection still has to be
made and passed to Exim before it could run such an ACL. This is the
same effect as host_reject_connection.

> Currently, hosts listed in an dnsbl called from acp_rcpt, have the
> opportunity to send a whole ton of RCPT TO's, each one getting a 5xx.
> This takes up lots of resources.


Ah, I see your point; host_reject_connection doesn't allow for dnslist
lookups.

An alternative would be acl_smtp_mail, to operate for MAIL commands.

When I implemented the ACLs, I deliberately implemented what I thought
were the minimum possible number of them, to see how it worked out. Not
providing them for connections and MAIL was intentional. I wanted to
encourage people to reject RCPTs because that's the best way to
discourage clients. Also, that is the point at which you can best
implement exceptions such as "always allow mail to postmaster". If you
reject earlier, you cannot allow these exceptions.

I have put this on the Wish List, but I am still rather wary of
implementing it because it will be easy for people to use
inappropriately.


> Perhaps that above would help cut this down. It could have a sanity
> delay of 5s or so, just to prevent such a host from repeatedly
> connecting too frequently.


The existing ratelimiting on RCPTS could have a similar effect. Does it
use more resources to have one process rejecting RCPTS very, very
slowly, or instead to reject connections (or MAIL) and have the client
keep calling, thus requiring the repeated setup of a new connection and
a new process? I would not be surprised to find the former is "cheaper".

Anybody else have views on this?

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.