On Wed, Aug 27, 2003 at 07:27:02AM -0400, Wakko Warner wrote:
> > > Note that:
> > > - at least some Windows machines seem not to send a fqdn in their
> > > HELO string (despite being told both their host and domain names.)
> > OE6 on win2k appears to send the netbios name in the HELO. On reading
> > RFC821 this doesn't appear to break any standard, but then again doesn't
> > exactly adhere to the suggestions made later in RFC2821 either (namely
> > that in the absence of a FQDN the client SHOULD send an address literal
> > which on my reading equates to a dotted quad - IP address???):
>
> It's microsoft, they don't usually follow rfcs. it's not a microsoft
> standard.
>
> > Personally I'm not overwhelmed by spammers or other abusers who misuse the
> > HELO/EHLO command and I can't justify denying or dropping clients based
> > solely on the fact that they don't use a FQDN or even an address literal
> > in their HELO/EHLO - a lot of my users use OE which appears to not adhere
> > to this anyway.
>
> Actually, you can. How many spammers authenticate to your server?
> You could put the helo check in the mail/rcpt and if they aren't
> authenticated, drop them. Of course if you have local users, you exclude
> them from the check entirely.
I had considered this as it goes and had even 'cued up' a mail for the
list on the topic (honest!!) I'd meant to give it more thought first though
before posting to the list.
I'll grab the postponed mail now, any ideas would be most welcome :)
Ok slightly confusing - this was in reply to a post on exim-users
entitled 'helo acl':
On Fri, Aug 22, 2003 at 05:59:52PM -0400, Richard Welty wrote:
> i've reconsidered that, based on recent/current events. i've now got the
> following attached to the helo acl, i strongly recommend it:
>
> check_helo:
> drop message = HELO/EHLO must contain a Fully Qualified Domain Name
> hosts = !+relay_hosts
> condition = ${if match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
> drop condition = ${if eq{$sender_ident}{squid}{yes}{no}}
> message = we do not accept mail from squid proxies
> drop condition = ${if eq{$sender_ident}{CacheFlow Server}{yes}{no}}
> message = we do not accept mail from CacheFlow Servers
> drop message = host is listed in $dnslist_domain
> dnslists = cbl.abuseat.org : \
> opm.blitzed.org
> accept
I had a similar ACL setup on my server for a while until I discovered a
large number of inbound connections were being rejected. The main
points:
- these were OE clients who appear to only use the netbios name as the
argument to the HELO/EHLO command (ie the argument does not contain
any period marks)
- I have no condition in the ACL to check the host is in a named list
(such as the 'relay_hosts' named list mentioned in the ACL above)
My question then:
The only users authorized to relay through my server (those for whom I
would want the EHLO/HELO ACL skipped) are those with login accounts who
use ASMTP to authenticate prior to relaying. With this in mind can
anyone suggest a way to check if the user has authenticated and if they
have then skip the HELO ACL?
For the heck of it the ACL is simply:
# Warn with bad EHLO/HELO:
warn message = "X-Warning: bad helo/ehlo detected - $sender_helo_name"
log_message = "Bad EHLO/HELO detected:$sender_helo_name"
condition = ${if match {$sender_helo_name}{\\.} {no}{yes}}
blatantly ripped from a post on exim-users :) I subjugated the action
from 'deny' to 'warn' after finding out the problem described above.
Looking at the exim book now I found the 'Checking for SMTP
authentication' section (14.8.15) which indicates a condition
'authenticated' which tests whether an authenticator was used or not:
accept authenticate = *
(where * indicates any authenticator)
- how can I check if a user has NOT authenticated?
Cheers
--
Jez
http://www.munk.nu/
