Re: [Exim] forged HELO/EHLO addresses

Top Page
Delete this message
Reply to this message
Author: Sheldon Hearn
Date:  
To: Tim Jackson
CC: exim-users
Subject: Re: [Exim] forged HELO/EHLO addresses
On (2003/11/12 11:17), Tim Jackson wrote:

> > How do you allow underscores in the HELO check ?
>
> helo_accept_junk_hosts or helo_allow_chars
>
> But please don't use them indiscriminately, because not only will you get
> more junk, you'll encourage the people with misconfigured MTAs to believe
> that they're in the right.
>
> Much better to tell them to go change their DNS hostname to something
> sensible. If they're an Exchange-using idiot, then they will probably moan
> that changing their NetBIOS name will break everything else - however, my
> (non-authoritative) understanding is that it is possible to change the
> Internet hostname independently of the NetBIOS name on Windoze.


As usual, Exim allows you to have your cake and eat it too. :-)

I have this in my Exim configure file:

# In main:
acl_smtp_helo = check_helo
helo_allow_chars = _

# In acls:
check_helo:
  #
  # Deny illegal helo arguments from hosts whose operators haven't
  # contacted us and asked us to work around their problematic
  #configurations.
  #
  deny  message         = syntactically invalid argument(s): $sender_helo_name
        condition       = \
          ${if \
            and { \
              { match {$sender_helo_name}{_} } \
              { \
                !eq \
                  {${lookup{${lc:$sender_helo_name}} \
                      lsearch{/usr/local/etc/exim/broken_helo_hosts} \
                      {yes}{no} \
                    }} \
                  {yes} \
              } \
            } \
            {true} \
          }
  #
  accept



This means that folks with broken MTAs will, by default, get rejected.
Often, these folks are customers or vendors. When they make contact,
I explain the problem. Usually, renaming an Exchange server requires
more work than they can manage, so I add their broken HELO name to the
broken_helo_hosts file until they can fix the problem.

So you have education taking place, but not at an indefinite cost to
business.

Ciao,
Sheldon.