On Thu, 18 Sep 2003, Robert Kehl wrote:
> From: "Christoph Kliemt" <christoph.kliemt@???>
> > Is there a way to make exim 4 accept a smtp-session only if it
> > starts with HELO/EHLO from the client?
This _has_ been discussed and answers shown before. [hint: mail
archive]
> You might want to use the ACL for HELO or EHLO called 'acl_smtp_helo'.
Hang on, how is the HELO ACL supposed to be invoked when there is no
HELO? Oh, alright, I see what you're aiming at...
> > Pointer to the relevant parts of the docs will be enough. :-)
>
> ACLs are explained in the specs, chapter #37.
>
> In short: Set an ACL variable in acl_smtp_helo, and refer to it in
> acl_smtp_mail - if it's not set, you may quit the session as there was
> no ehlo/helo.
The best time to reject (in the sense of the fewest misbehaved
senders) is in the RCPT ACL - e.g we do this in that ACL:
deny condition = ${if \
or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
message = RFCs mandate HELO/EHLO before mail can be sent.
In the main configuration we've got helo_try_verify_hosts defined
(namely to exclude local addresses from the checks), and we set
helo_accept_junk_hosts = *
That might be considered an older way of doing what could now be done
in a HELO ACL. At any rate it means that various kinds of broken HELO
are picked up at HELO time - but don't cause rejection at that point,
which can cause some kinds of sender to keep retrying, or going off
and hassling the backup MX.
Then we can apply various rejection policies at RCPT time. This
causes most refused senders to go away (still a few go and hassle our
backup mx, ho hum...)
cheers
