On Thu, 31 Oct 2002, Scott M. Nolde wrote:
> Matthew Palmer(mjp16@???)@2002.10.31 08:33:43 +0000:
> > On Wed, 30 Oct 2002, Alan J. Flavell wrote:
(nothing that you quoted)
> > Tell them to relay through their ISP's mail servers.
It's easily said, but as a mail admin in our situation, we do have to
apply a certain amount of heuristic compromise in the interests of our
users...
> I've been able to block a lot of stuff coming from domains in HELO i don't
> like (maybe this isn't real HELO blocking,
No, it isn't. Sure, we already use controls based on
envelope-senders, and if we knew in advance that a particular
envelope-sender was a good guy, we could whitelist them.
I was just exploring the options for dealing with senders who hope
to get mail through, despite having a dynamic IP, by means of having
registered with dyndns.org. There are clearly _some_ 'good guys'
there.
Let's not argue over policy in this thread: I'm only exploring what
technical options might be available, _if_ one decided to use them.
Points:
1. the PTR record isn't going to help. There needs to be some other
indication that the sender wants to claim membership of dyndns.org
2. Some senders use an envelope-sender address in *.dyndns.org: this
would be easy to whitelist, even on a wildcard basis if one wished.
Nuff said.
3. Some senders use other envelope-sender addresses, but present a
HELO domain in *.dyndns.org. See below for a possible way of
validating those.
4. Some senders seem to offer no indication that they're using
dyndns.org. Too bad for them.
OK, now about implementing point 3: (this is in exim4)
If we enable helo_try_verify_hosts, this will set the helo verify
condition if (amongst other possibilities) the presented helo name
matches the calling IP. For documentation see
http://www.exim.org/exim-html-4.10/doc/html/spec_13.html#IX802
(third bullet). So in the specific case under discussion - the caller
is coming from an IP currently registered at *.dyndns.org, and they
present that name in their HELO - the helo verify condition gets set.
So an ACL which contains a condition such as
condition = ${if match {$sender_helo_name}{\N\.dyndns\.org$\N}{yes}{no}}
(well, perhaps one should lowercase the $sender_helo_name first?)
would restrict this clause to names of the *.dyndns.org variety, and
then
verify = helo
would seem to complete the ACL, no? This would offer a let-out just
before one would otherwise have rejected on the basis of blacklisted
dynamic-address IP ranges.
I've not actually implemented this in production, but a few recent
incidents have suggested to me that it would be a useful option to
have on hand. So I thought I'd at least tidy the thread up by
mentioning it. I tried it manually with a command of the form
exim -C configure.test -bh a.b.c.d
and it seemed to behave as expected.
Hope it might prove useful to someone (maybe even to us... ;-).
