In exim 4 something like:
helo_try_verify_hosts = *
acl_smtp_helo = acl_check_helo
acl_check_helo:
deny message = Faked IP in HELO/EHLO
condition = ${if match{$sender_helo_name}{\N^\d{1,3}(\.\d{1,3}){3}$\N}{yes}{no}}
!verify = helo
does not work, because the helo_try_verify_hosts verification
in src/smtp_in.c is done after the helo ACL.
Does it make sense to move the ACL check after the helo_try_verify_hosts verification:
--- exim_helo.patch begins here ---
--- src/smtp_in.c.orig Mon Sep 1 12:47:21 2003
+++ src/smtp_in.c Mon Sep 1 12:50:05 2003
@@ -2060,19 +2060,6 @@
break;
}
- /* Apply an ACL check if one is defined */
-
- if (acl_smtp_helo != NULL)
- {
- rc = acl_check(ACL_WHERE_HELO, smtp_data, acl_smtp_helo, &user_msg,
- &log_msg);
- if (rc != OK)
- {
- done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
- break;
- }
- }
-
/* If sender_host_unknown is true, we have got here via the -bs interface,
not called from inetd. Otherwise, we are running an IP connection and the
host address will be set. If the helo name is the primary name of this
@@ -2218,6 +2205,19 @@
HDEBUG(D_all) debug_printf("%s verification failed but host is in "
"helo_try_verify_hosts\n", hello);
}
+ }
+ }
+
+ /* Apply an ACL check if one is defined */
+
+ if (acl_smtp_helo != NULL)
+ {
+ rc = acl_check(ACL_WHERE_HELO, smtp_data, acl_smtp_helo, &user_msg,
+ &log_msg);
+ if (rc != OK)
+ {
+ done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
+ break;
}
}
--- exim_helo.patch ends here ---
Or is there a reason for this order I can't see?
Regards
Oliver
