Re: [Exim] New HELO check suite

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Tor Slettnes
Ημερομηνία:  
Προς: Marc MERLIN
Υ/ο: exim-users, Philip Hazel
Αντικείμενο: Re: [Exim] New HELO check suite
> deny message = "HELO/EHLO required by SMTP RFC"
>           condition     = ${if eq{$sender_helo_name}{}{yes}{no}}
> .ifdef TEERGRUBE
>           delay         = TEERGRUBE
> .endif


Cleaner:
            condition     = ${if def:sender_helo_name {yes}{no}}



>   deny    message       = "Invalid domain or IP given in HELO/EHLO"
>          !condition     = ${if match{$sender_helo_name}{\\\.}{yes}{no}}
> .ifdef TEERGRUBE
>           delay         = TEERGRUBE
> .endif


The double quotes will actually show up in the 550 response.


>   deny    message       = Forged IP detected in HELO (it's mine) -
> $sender_helo_name
>           hosts         = !+relay_from_hosts
>           condition     = ${if
> eq{$sender_helo_name}{$interface_address}{yes}{no}}
> .ifdef TEERGRUBE
>           delay         = TEERGRUBE
> .endif


Why allow _any_ IP to be used as HELO/EHLO argument? This is not
valid per RFC. (If an IP address is used at all, it must be enclosed
in [square brackets]). So:

    deny     message      = You gave me an IP address, I want your name.
             condition    = ${if isip {$sender_helo_name}{yes}{no}}


would work just fine... (this eliminates the need for some of your
other "deny" blocks as well).

>   deny    message       = Forged hostname detected in HELO -
> $sender_helo_name
>           # accept helo which is in local_domain if we relay or had
> smtp auth
>           hosts         = !+relay_from_hosts
>          !authenticated = *
>           log_message   = Forged hostname detected in HELO -
> $sender_helo_name
>           condition     = ${if
> match_domain{$sender_helo_name}{+local_domains} {yes}{no}}
> .ifdef TEERGRUBE
>           delay         = TEERGRUBE
> .endif


Another way would be:

   # Deny if $sender_helo_name resolves to our own address
   #
   deny message        = Forged hostname detected in HELO -
$sender_helo_name
        hosts          = !+relay_from_hosts
        !authenticated = *
        log_message    = Forget hostname detected in HELO -
$sender_helo_name
        condition      = ${if eq {${lookup dnsdb{a=$sender_helo_name}
{$value}}} \
                                 {$interface_address} \
                              {yes}{no}}



-tor