Re: [Exim] New HELO check suite

Pàgina inicial
Delete this message
Reply to this message
Autor: Andrew - Supernews
Data:  
A: exim-users
Assumpte: Re: [Exim] New HELO check suite
>>>>> "Tor" == Tor Slettnes <tor@???> writes:

Tor> Another way would be:


 Tor>    # Deny if $sender_helo_name resolves to our own address
 Tor>    #
 Tor>    deny message        = Forged hostname detected in HELO - $sender_helo_name
 Tor>         hosts          = !+relay_from_hosts
 Tor>         !authenticated = *
 Tor>         log_message    = Forget hostname detected in HELO - $sender_helo_name
 Tor>         condition      = ${if eq {${lookup dnsdb{a=$sender_helo_name}{$value}}} \
 Tor>                                  {$interface_address} \
 Tor>                               {yes}{no}}


That'll lose you some mail from sites where the HELO name is actually
a valid FQDN, but isn't resolvable from outside the sender's network
(I've seen that happen several times for various reasons). In such cases
the "deny" above may end up deferring the mail indefinitely, since the
dnsdb lookup will cause it to defer on a query timeout or SERVFAIL.

With recent releases that's fixable:

    warn set acl_c0 =
         set acl_c0 = ${lookup dnsdb{a=$sender_helo_name}{$value}}
    deny message = whatever your message is
         hosts = !+relay_from_hosts
         !authenticated = *
         condition = ${if eq{$acl_c0}{$interface_address} {yes}{no}}


Having the lookup inside a "warn" statement rather than a "deny" statement
stops the whole ACL from deferring if the lookup defers.

--
Andrew, Supernews
http://www.supernews.com