Re: [exim] Setup for authenticated submission

Pàgina inicial
Delete this message
Reply to this message
Autor: Bill Hacker
Data:  
A: exim-users
Assumpte: Re: [exim] Setup for authenticated submission
Jakob Hirsch wrote:
> Bill Hacker wrote:


*SNIP*
>
> Let me check if I understand right: You check if the sender domain matches
> the helo domain? So following would invalid in your eyes?
>
> EHLO example.net
> MAIL FROM:<someone@???>
>
> If this is what you mean, you are wrong.


That is what I mean, and earns such a sender a 'demerit' of 1 point:
An outright deny/drop/discard on ONE such point would be 'wrong'.
See comments below:

   # HELO_5: IF HELO verification fails THEN prep message.
   # *CANNOT REJECT YET* Too many Mis-matched ID's, some of our own 
included!
   #
   warn
     condition   = ${if !def:acl_c1 {true}{false}}
     !verify     = helo
     set acl_c1  = X-HELO-Warning: Remote host $sender_host_address \
                   ${if def:sender_host_name {($sender_helo_name) }}\
                   is cross-dressed as $sender_helo_name  !!!
     log_message = H5 $acl_c3 has mismatched ID's in HELO/EHLO greeting.
     set acl_c2  = $acl_c2  Mismatched HELO=1
     set acl_c5  = ${eval:$acl_c5 + 1}


But this is but one of several tests for 'good practice'.

Here is another 'soft' fail that can add to the score and eventually
become a 'hard' fail:

   # FROM_6: IF FAIL sender_verify THEN prep message AND add to header.
   #
   warn
     !verify     = sender/defer_ok/callout=10s,defer_ok
     set acl_c2  = $acl_c2  Sender Verify = $sender_verify_failure 
$sender_address_data
     set acl_c5  = ${eval:$acl_c5 + 1}
     log_message = F6 $acl_c3 failed sender verify at 
$sender_verify_failure for $sender_address $sender_address_data


And another (held-off until 'DATA' phase to avoid 'cost' of an external
lookup if already rejected...):

   # DATA_6B: IF host rDNS lookup fails THEN warn AND flag for later NOT 
delay.
   #
   warn
     log_message = C5 $sender_host_name $sender_host_address failed rDNS 
lookup with score of $acl_c5 for $acl_c2
     !condition  = ${if eq{$acl_m4}{0}}
     !condition  = +relay_from_hosts
     !verify     = reverse_host_lookup
     message     = X-DNS-Broken-Warn: rDNS lookup failed for 
$Sender_host_address
     set acl_c2  = $acl_c2  Missing rDNS PTR=1
     set acl_c5  = ${eval:$acl_c5 + 1}



Too many such 'points' regardless of the 'mix', on the same connection
can very accurately ID a zombie or spambot, can be tested against a
global, per-domain, or per-user threshold with near-zero false alarms,
and a very much lightened load on resource-intensive SA.

We have been saving and checking the rejections since last October,
falsing is NOT a problem, and spam is miniscule.
SA catches the 'complex' ones, but such rules as above get the majority
before they ever reach it.

YMMV
>
>
>>>Well, I hope your mail system works better than your homepage...
>>
>>What homepage??
>
>
> http://www.conducive.org/
>
>


Ah! 'Cobbler's children going barefoot, as it were.... when I have time....

precisa.ch better represents our work...

Bill