[exim] Broken helo/ehlo Check

Top Page
Delete this message
Reply to this message
Author: Mark T. Valites
Date:  
To: exim-users
Subject: [exim] Broken helo/ehlo Check
I've recently been playing with adding some helo/ehlo ACLs at 'rcpt to:'
time. Since the topic has been hot lately, perhaps someone can help me
figure out what's happening.

I've added a couple ACls to check the helo/ehlo strings, but the one that
is causing me troubles looks like this:

  deny  message = Your host is using one of my IP addresses as its HELO/EHLO greeting. If you believe you are receiving this message in error, please email postmaster@???.
        hosts = !@[]
        condition = ${if match_address{$sender_helo_name}{$interface_address}{true}{false}}


(I can provide more of my conf file if need be)

The problem is when the ACL is reached and run, exim just drops my smtp
connection completely with no error or indication to the client what
happened.

Here's that the client sees:

[valites@bofh:~][501] $ telnet www.valites.net 225
Trying 24.169.104.120...
Connected to roc-24-169-104-120.rochester.rr.com.
Escape character is '^]'.
220 myth.valites.net ESMTP Exim 4.34 Tue, 11 Jan 2005 12:55:24 -0500
ehlo bofh.cit.geneseo.edu
250-myth.valites.net Hello bofh.cit.geneseo.edu [137.238.60.6]
250-SIZE 5242880
250-EXPN
250-PIPELINING
250-STARTTLS
250 HELP
mail from:<>
250 OK
rcpt to: mark@???
Connection closed by foreign host.

Debug mode on the server:

valites@myth:~$ sudo exim4 -bd -d -C ./exim4.conf -oX 225
Exim version 4.34 uid=0 gid=0 pid=25829 D=fbb95cfd
Berkeley DB: Sleepycat Software: Berkeley DB 3.2.9: (May 26, 2004)
Support for: iconv() IPv6 PAM Perl GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
changed uid/gid: forcing real = effective
  uid=0 gid=0 pid=25829
  auxiliary group list: <none>
configuration file is ./exim4.conf
log selectors = 00000dfc 00034400
trusted user
admin user
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
25829 daemon_smtp_port overridden by -oX:
25829   <: 225
25829 LOG: MAIN
25829   IPv6 socket creation failed: Address family not supported by protocol
25829 LOG: MAIN
25829   Failed to create IPv6 socket for wildcard listening (Address
family not supported by protocol): will use IPv4
25829 listening on all interfaces (IPv4) port 225
25829 changed uid/gid: running as a daemon
25829   uid=105 gid=105 pid=25829
25829   auxiliary group list: 105 42
25829 LOG: MAIN
25829   exim 4.34 daemon started: pid=25829, no queue runs, listening for SMTP on port 225 (IPv4)
25829 set_process_info: 25829 daemon: no queue runs, listening for SMTP on port 225 (IPv4)
25829 daemon running with uid=105 gid=105 euid=105 egid=105
25829 Listening...
25829 Connection request from 137.238.60.6 port 50939
25829 search_tidyup called
25829 1 SMTP accept process running
25831 sender_fullhost = [137.238.60.6]
25829 Listening...
25831 sender_rcvhost = [137.238.60.6]
25831 Process 25831 is handling incoming connection from [137.238.60.6]
25831 host in host_lookup? no (option unset)
25831 set_process_info: 25831 handling incoming connection from [137.238.60.6]
25831 host in host_reject_connection? no (option unset)
25831 host in sender_unqualified_hosts? no (option unset)
25831 host in recipient_unqualified_hosts? no (option unset)
25831 host in helo_verify_hosts? no (option unset)
25831 host in helo_try_verify_hosts? no (option unset)
25831 host in helo_accept_junk_hosts? no (option unset)
25831 SMTP>> 220 myth.valites.net ESMTP Exim 4.34 Tue, 11 Jan 2005 12:55:24 -0500
25831 Process 25831 is ready for new message
25831 smtp_setup_msg entered
25831 SMTP<< ehlo bofh.cit.geneseo.edu
25831 bofh.cit.geneseo.edu in helo_lookup_domains? no (end of list)
25831 sender_fullhost = (bofh.cit.geneseo.edu) [137.238.60.6]
25831 sender_rcvhost = [137.238.60.6] (helo=bofh.cit.geneseo.edu)
25831 set_process_info: 25831 handling incoming connection from (bofh.cit.geneseo.edu) [137.238.60.6]
25831 host in pipelining_advertise_hosts? yes (matched "*")
25831 host in auth_advertise_hosts? no (end of list)
25831 host in tls_advertise_hosts? yes (matched "*")
25831 SMTP>> 250-myth.valites.net Hello bofh.cit.geneseo.edu [137.238.60.6]
25831 250-SIZE 5242880
25831 250-EXPN
25831 250-PIPELINING
25831 250-STARTTLS
25831 250 HELP
25831 SMTP<< mail from:<>
25831 SMTP>> 250 OK
25831 SMTP<< rcpt to: mark@???
25831 using ACL "acl_check_rcpt"
25831 processing "accept"
25831 check hosts = :
25831 host in ":"? no (end of list)
25831 accept: condition test failed
25831 processing "deny"
25831 check local_parts = ^.*[@%!/|] : ^\\.
25831 mark in "^.*[@%!/|] : ^\."? no (end of list)
25831 deny: condition test failed
25831 processing "accept"
25831 check local_parts = postmaster : abuse
25831 mark in "postmaster : abuse"? no (end of list)
25831 accept: condition test failed
25831 processing "accept"
25831 check authenticated = *
25831 accept: condition test failed
25831 processing "deny"
25831 check hosts = !@[]
25831 host in "!@[]"? yes (end of list)
25831 bofh.cit.geneseo.edu in "@:@[] : localhost : valites.net"? no (end of list)
25831 bofh.cit.geneseo.edu in "myth.valites.net:+local_domains"? no (end of list)
25831 check condition = ${if and {{match_domain
{$sender_helo_name}{$primary_hostname:+local_domains}}{!match_domain
{$sender_helo_name}{localhost}}}{true}{false}}
25831                 = false
25831 deny: condition test failed
25831 processing "deny"
25831 check hosts = !@[]
25831 host in "!@[]"? yes (end of list)
25831 address match: subject=bofh.cit.geneseo.edu pattern=192.168.1.87
25829 child 25831 ended: status=0xb
25829 0 SMTP accept processes now running
25829 Listening...


This server lives behind a NATTed OpenBSD box with port 225 forwarded to
it and local DNS for the private LAN, but I see the same problem on my
production machines if I enable the ACL. The machine is an x86 Debian
testing box with the exim4-daemon-heavy 4.34-8 package.

Any thoughts as to why the SMTP conversation just dies?


--
Mark T. Valites
Unix Systems Analyst
Computing & Information Technology
SUNY Geneseo
>--))> >--))>