Richard Welty wrote:
> well, i installed one of the recommended forgery protection ACLs,
> only to get the following:
>
> 2003-12-09 07:10:02 H=[64.4.47.24] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.47.24
[...]
> which would be fine, except that 64.4.0.0/18 does actually belong
> to hotmail according to whois records.
>
> so for those who have used these acls for a while, is this config
> blowing off legit hotmail users, or is it ok to ignore email from
> hotmail IPs w/o rDNS?
your resolver couldn't get PTR record for 64.4.47.24
so client got 4xx error
try this:
# Check Certain HELO's against what their hostname is supposed to be
warn set acl_m9 = ${perl{lnetsearch}{$sender_host_address}\
{/usr/local/exim/skip-helo-check}\
}
warn set acl_m9 = ${if and { \
{!eq{$acl_m9}{}} \
{match{$sender_helo_name}{${rxquote:$acl_m9}\N$\N}}\
}{skip}{}}
warn condition = ${if eq{$acl_m9}{skip}{no}{yes}}
set acl_m9 = ${lookup{$sender_helo_name} \
partial-lsearch{/usr/local/exim/helo-check} \
{${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
defer condition = ${if eq{$acl_m9}{skip}{no}{yes}}
condition = ${if eq{$acl_m9}{}{no}{yes}}
condition = ${if eq{$sender_host_name}{}{yes}{no}}
condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
message = Access temporarily denied. Resolve failed PTR for
$sender_host_address
drop condition = ${if eq{$acl_m9}{skip}{no}{yes}}
log_message = HELO MISMATCH Forged HELO for ($sender_helo_name)
condition = ${if and { \
{!eq{$acl_m9}{}} \
{!match{$sender_host_name}{${rxquote:$acl_m9}\N$\N}}\
}{yes}{no}}
delay = 30s
put this line into /usr/local/exim/skip-helo-check:
64.4.0.0/18 : hotmail.com
put this function into /usr/local/exim/exim.pl:
sub lnetsearch() {
my($ip, $data_file) = @_;
my(@ip_packed) = split(/\./, $ip);
while (@ip_packed < 4) {
@ip_packed = (@ip_packed, '0');
}
my($ip1_packed) = ($ip_packed[$[] << 24) +
($ip_packed[$[+1] << 16) +
($ip_packed[$[+2] << 8) +
$ip_packed[$[+3];
my(%nets);
unless (open(DATA, $data_file)) {
die("couldn't open file '$data_file': $!\n");
} else {
my($line, $result, $found, $ip_net);
while ($line = <DATA>) {
unless ($line =~ /^\s*[#\r\n]/) {
my($net, $tmp2, $tmp3, $mask, $value) = ($line =~
/^\s*(\d{0,3}(\.\d{0,3}){0,3})(\s*\/\s*(\d+))?\s*:?\s*(.*)?\s*$/);
my(@ip_packed) = split(/\./, $net);
while (@ip_packed < 4) {
@ip_packed = (@ip_packed, '0');
}
my($ip2_packed) = ($ip_packed[$[] << 24) +
($ip_packed[$[+1] << 16) +
($ip_packed[$[+2] << 8) +
$ip_packed[$[+3];
chomp($value);
$mask = 32 unless ($mask);
my $packed_mask = (0xffffffff << (32-$mask))
& 0xffffffff;
my $ip_net1 = $ip1_packed & $packed_mask;
my $ip_net2 = $ip2_packed & $packed_mask;
if ($ip_net1 eq $ip_net2) {
$result = ($value ? $value : 'found');
$found = 1;
}
}
}
close(DATA);
return($result) if ($found);
}
return('');
}
don't forget to use a global configuration option
perl_startup = do "/usr/local/exim/exim.pl"
too ugly, but it must work properly
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Best wishes Victor Ustugov mailto:victor@corvax.kiev.ua
public PGP key (0xA067B1F5): http://victor.corvax.kiev.ua/pgp/corvax.asc
ICQ: 77186900, 32418694 CRV2-RIPE, CRV-UANIC
