Re: [exim] blocking part of a relay

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Bill Hacker
Dátum:  
Címzett: exim
Tárgy: Re: [exim] blocking part of a relay
Larry wrote:

> On Sun, Jan 22, 2006 at 04:45:18PM +0800, Bill Hacker wrote:
>
>>Larry wrote:
>>
>>
>>>
>>>I need to figure out how to block the origionator of a message.
>>>


*SNIP*

>
>>Use originator-specific rules, optionally applied only to
>>traffic that arrives from mailhop.org.
>
>
> How? Is it done in the acl part or... ?
>


Tor Slettnes site has not only the working acl's, but a very good
developmental narrative as to how and why they were chosen, then
finsihes up with the 'final' complete set.

Now - I tried his approach, but eventually moved to something very
different.

The reason I still point 'newbies' there is that he has done a good
service by showing both the development philosophy and explanation as
well as a complete 'set' of 'final' acl's. One can learn a lot from that.

With 'fragmentary' information posted here, it is all-too easy to get an
acl in the wrong place, or have acl's conflict with each other for
unwanted, and hard to de-bug, results.

That said, here are two 'fragments' that I use. Keep in mind that they
have to come early enough in the SMTP process to save unwanted parsing,
but late enough that the information they require has been made available.

The ones below function during the 'CONNECT' stage. Note that the same
file is used for several different regexp tests.

log_messages are uncommented for testing, commented-out after about 90
days stable running.

These are part of a complex system - not what you want to start with,
but do illustrate
comparion tests.

==================================================

# CONNECT_2: IF cross-box OR approved relays OR whitelist THEN flag to 
accept.
#
   warn
     hosts       = : +relay_from_hosts
     set acl_c4  = 2
   #  log_message        = $acl_c3 is a local or relay_host . Given flag 
of $acl_c4


   warn
     hosts        = /var/mail/IP-white
     set acl_c4  = 3
   #  log_message        = $acl_c3 IP found in IP-whitelist. Given flag 
of $acl_c4



   # CONNECT_3: Check Local IP Blacklists. IF bad THEN warn OR deny AND 
delay.
   #
   warn
     hosts       = /var/mail/IP-block
     set acl_c2  = $acl_c2  Source IP Blacklisted=10
     set acl_c5  = ${eval:$acl_c5 + 10}
#  log_message = $acl_c3 found in blacklist by IP


   # CONNECT_4: Check Local NAME Blacklist for HELO name. IF bad THEN 
warn OR deny AND delay.
   #
   warn
     condition   = ${lookup {$sender_helo_name} 
lsearch{/var/mail/REGEXP-block}{yes}{no}}
     set acl_c2  = $acl_c2  Source HELO Name Blacklisted=10
     set acl_c5  = ${eval:$acl_c5 + 10}
  # log_message = $acl_c3 found in blacklist by HELO name


   # CONNECT_5: Check Local NAME Blacklist for host_name. IF bad THEN 
warn OR deny AND delay.
   #
   warn
     condition   = ${lookup {$sender_host_name} 
lsearch{/var/mail/REGEXP-block}{yes}{no}}
     set acl_c2  = $acl_c2  Source Host Name Blacklisted=10
     set acl_c5  = ${eval:$acl_c5 + 10}
  # log_message = $acl_c3 found in blacklist by host name


======================================================
The files referenced are of the form:

72.21.53.34
24.143.132.148
209.87.114.72
218.18.40.144
218.18.249.166


And:

nabble.com
*.nabble.com
PickOfThe*
IssueOfThe*
*@asheville.com
asheville.com
deannad@???
info@???
*@kcr.darktech.org
darktech.org
dude
of.net
togo@???
charter.com
netvip.com
porterpartners.com



Other acl's contribute to 'demerit' points in acl_c5, soem one point,
some larger.

At various points, I test the value of acl_c5.
If over a threshold, set in a MACRO, I delay/deny/drop/discard.

Note that the point-value added for a blacklist 'hit' (local or RBL) is
greater than the threshold, so WILL ALWAYS fail.

You can change the 'warn' verb to a 'deny' verb and do without all the
scoring stuff.

Note this:

Exim is akin to a machine-shop to make a motorcar, not the motorcar itself.

Research first, then test thoroughly, even if using 'defaults'.

If all you have is one box, consider this for testing:

Step ONE:

- bind a couple of non-routable IP to a NIC. 192.168.0.X and Y for example.

- set up two Exim instances, configuring to 'allow_domain_literals'
(separate config files).

- bind each ONLY to one internal IP with the 'local_interfaces' setting.

- set 'log_selector = +all'

- install 'wtail'

- set up several dummy users for each.

- run any kind of test traffic you wish between them as <user>@IP while
playing with the configuration
and 'wtail' ing both ~/exim/mainlog's and/or pacilog, rejectlog.


Step TWO:

Once all is working as expected, if you jave two 'real' (external,
routable) IP, change to using those - still two instances on one box.
Domain.tld still 'optional' for now.

Else two or more boxes (I use 3 to 6 - some with MTA's other than Exim,
i.e. Qmail, sendmail, etc.)

When happy, turn OFF domain_literals and use proper domain.tld
*still* keep a close eye on the logs....

Doing the basics is not hard, but if you need to get 'clever' a lot of
homework is needed.

Otherwise the time will come all too soon when you get your underwear
caught up in the machinery...
... with painful consequences! ;-)


HTH,

Bill