RE: [Exim] rejecting based on HELO

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Rick Cooper
Date:  
À: exim-users
Sujet: RE: [Exim] rejecting based on HELO

> -----Original Message-----
> From: exim-users-admin@??? [mailto:exim-users-admin@exim.org]On
> Behalf Of Shane Wegner
> Sent: Thursday, September 04, 2003 11:01 PM
> To: exim-users@???
> Subject: Re: [Exim] rejecting based on HELO
>
>
> On Thu, Sep 04, 2003 at 09:36:00AM +0100, gARetH baBB wrote:
> > I also require at least one dot, there have been several rules
> posted over
> > the past few weeks - unqualified HELOs I regard as invalid.
>
> This is a bit offtopic but I just input a rule to do
> something similar and I have this MS-windows host using
> Outlook XP which is heloing with its hostname (centauri)
> rather than its fully qualified domain name
> (centauri.localnet.cm.nu). Is there a way to tell outlook
> about its fqdn that anyone knows of?
>


You should not see a helo of this type unless it's from a host on your local
net or if it's a local user accessing the mail service from remote (as in
home). If you allow users "off site" access to the mail service you will
find, probably, 100% of them do not use a windows domain at home. In any
event it should be one of your users. The following works here (1st rcpt acl
entry):

#Check for FQDN if not a local host or a local user or at least one "."

deny message = We Require a FQDN as a helo please
hosts = !+local_net
condition = ${if and \
    {\
        {!exists {/virtualuserdirectory/Maildir-$sender_address_local_part}}\
        {!match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}}\
    }\
    {yes}{no}}


+local_net contains the obvious 127.0.0.1 and our local xxx.xxx.xxx.xxx/25
and the !match passes on our local V-users but bear in mind there are, of
course, many checks below this one and the most important is that all local
users must validate. So if the sender_address_local_part gets a pass here,
and passes all the spam, virus, spoofing, etc it will fail at the
authentication check later on.

The checks for name/address spoofing go in the helo acl section but this one
catches the non FQDN if not a validated local user.

Rick