Re: [Exim] helo acl

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Richard Welty
CC: exim-users
Subject: Re: [Exim] helo acl
> for some time, i've been mechanically doing all of my acl stuff in the
> recipients check, based on conventional wisdom that 5xx gets listened to
> best after RCPT TO:


I've heard this as well. If there is a host that bangs on my server, I drop
their IP into my firewall.

> i've reconsidered that, based on recent/current events. i've now got the
> following attached to the helo acl, i strongly recommend it:
>
> check_helo:
>   drop    message = HELO/EHLO must contain a Fully Qualified Domain Name
>           hosts  = !+relay_hosts
>           condition = ${if match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}


Good.

>   drop    condition = ${if eq{$sender_ident}{squid}{yes}{no}}
>           message       = we do not accept mail from squid proxies
>   drop    condition = ${if eq{$sender_ident}{CacheFlow Server}{yes}{no}}
>           message       = we do not accept mail from CacheFlow Servers


I'd prefer to put ones like this into the connect acl.
You can merge them by:
condition = ${if match{$sender_ident}{squid|CacheFlow Server}{yes}{no}}
and message = we do not accept mail from open proxies

>   drop    message = host is listed in $dnslist_domain
>           dnslists = cbl.abuseat.org : \
>                      opm.blitzed.org


I'd prefer this in the connect acl also.

> accept
>
> the logic being that these callers are by and large things that aren't
> going to take 5xx for an answer, so why wait? in particular, right this
> instant we're all being pounded by Sobig and this should clear out those
> connections quicker.


Might not be a bad idea to temporarily firewall out anyone who HELOs with a
name that doesn't have a dot (only due to sobig). I've seen tons of
connections from the same host sending sobig

> i'm sure many are doing this already, but i suspect others might appreciate
> the tip.


I may post my ACLs somewhere. At work, my entire ACL config (one ruleset
may actually take a page because of my formatting) is 900-1000 lines
(including comments) and relies heavily on sql.

--
Lab tests show that use of micro$oft causes cancer in lab animals