[exim] policy for MUA's

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: exim list subscriber
Dátum:  
Címzett: exim-users
Tárgy: [exim] policy for MUA's
On the off chance that some folks may find this useful...

The site here is making a move to have MUA clients use the MSA
port, rather than using the regular SMTP port. To get a handle on
laggards, we wanted to get some kind of ACL to detect a MUA when
it connected. The way we've been deciding if a MUA is connecting,
is by counting the number of Received: headers in the message. If
there is only one, that being added by the server, then the message
is from a MUA.

After some trial-and-error testing, something like this seems to
do the job:

acl_smtp_data:


# just for testing and tracking
        warn        condition = ${if eq {$interface_port}{25} {1}{0}}
                condition = ${if match {${sg{$h_received:}{\n\s+}{ }}}\
                                        {\n}\
                                        {0}{1}}
                logwrite = MUA detected


# eventually to become policy
        deny        message = Users must use TLS/AUTH, the MSA port, \
                        or a smarthost relay
                condition = ${if eq {$interface_port}{25} {1}{0}}
                ! authenticated = *
                ! encrypted = *
                condition = ${if match {${sg{$h_received:}{\n\s+}{ }}}\
                                        {\n}\
                                        {0}{1}}


Right now, the ACL is just logging, to see what what kind of traffic
it catches. If successful, the policy will become to deny MUA
messages on port 25 on the DMZ mail host. Initially, the plan is
to use this only on selected testcase role accounts, and later on
to use the general case above.

The condition takes advantage of the fact that Exim keeps multiple
$h_received: headers separated by a newline. The ${sg is used to
remove any formatting for readability that might be present in a
header. If a newline is found, then there are at least 2 Received:
headers, and therefore the sender is presumed to be a MTA. But if
there is only one Received:, then its not a MTA that is sending
the mail, but a MUA.

One of the interesting things, is that this MUA check is tagging
a significant portion of spam, or rather, that spam which isn't
forging Received: lines. That's a different problem, but this is
proving to be a good pre-screen by catching spam in the SMTP DATA
phase.

--
eximlist@??? is whitelisted to receive only from the
the exim.org mail servers.
Randall Raemon
shikahrsoho.com, email to userid evg702y in place of eximlist