Re: [Exim] exim HELO ack

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Exim Users List
Subject: Re: [Exim] exim HELO ack
> > Actually, you can. How many spammers authenticate to your server?
> > You could put the helo check in the mail/rcpt and if they aren't
> > authenticated, drop them. Of course if you have local users, you exclude
> > them from the check entirely.
> I had considered this as it goes and had even 'cued up' a mail for the
> list on the topic (honest!!) I'd meant to give it more thought first though
> before posting to the list.
>
> I'll grab the postponed mail now, any ideas would be most welcome :)
>
> Ok slightly confusing - this was in reply to a post on exim-users
> entitled 'helo acl':


If you check the helo string in the helo don't. Put it in the MAIL or RCPT
acl. It would be IMO better in the MAIL because you can drop them easier
and not accidentally make yourself an open relay.

Something like:
    accept hosts = +relay_hosts : +helo_exclude_hosts : +other_hosts
    accept authenticated = *
    drop <helo check here>
    accept


> > i've reconsidered that, based on recent/current events. i've now got the
> > following attached to the helo acl, i strongly recommend it:
> >
> > check_helo:


Replace with check_mail or check_rcpt

Add the first 2 accepts listed above

> >   drop    message = HELO/EHLO must contain a Fully Qualified Domain Name
> >           hosts  = !+relay_hosts
> >           condition = ${if match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
> >   drop    condition = ${if eq{$sender_ident}{squid}{yes}{no}}
> >           message       = we do not accept mail from squid proxies
> >   drop    condition = ${if eq{$sender_ident}{CacheFlow Server}{yes}{no}}
> >           message       = we do not accept mail from CacheFlow Servers
> >   drop    message = host is listed in $dnslist_domain
> >           dnslists = cbl.abuseat.org : \
> >                      opm.blitzed.org
> >   accept
> I had a similar ACL setup on my server for a while until I discovered a
> large number of inbound connections were being rejected.  The main
> points:

>
> - these were OE clients who appear to only use the netbios name as the
> argument to the HELO/EHLO command (ie the argument does not contain
> any period marks)


OE. ick.

> - I have no condition in the ACL to check the host is in a named list
> (such as the 'relay_hosts' named list mentioned in the ACL above)


See above.

> My question then:
> The only users authorized to relay through my server (those for whom I
> would want the EHLO/HELO ACL skipped) are those with login accounts who
> use ASMTP to authenticate prior to relaying. With this in mind can
> anyone suggest a way to check if the user has authenticated and if they
> have then skip the HELO ACL?
>
> For the heck of it the ACL is simply:
>
>   # Warn with bad EHLO/HELO:
>     warn message = "X-Warning: bad helo/ehlo detected - $sender_helo_name"
>         log_message = "Bad EHLO/HELO detected:$sender_helo_name"
>         condition = ${if match {$sender_helo_name}{\\.} {no}{yes}}


that can work too. just add "!authenticated = *" before the condition

> - how can I check if a user has NOT authenticated?


See above

--
Lab tests show that use of micro$oft causes cancer in lab animals