On Thu, 2007-05-03 at 10:29 +1000, Ted Cooper wrote:
> Exim has a function to figure out if something is an IP address without
> all the regex
>
> # Deny RAW IP addresses - they MUST be quoted to comply with standards
> deny message = ERRMSG_RAWIP1
> condition =
> ${lookup{$sender_host_address}iplsearch{/etc/exim/bwlists/helo_rawip_ok}{no}{yes}}
> condition = ${if isip{$sender_helo_name}{true}{false}}
that won't work:
$ exim -be '${if isip{10.0.0.1}}'
true
$ exim -be '${if isip{[10.0.0.1]}}'
<nothing>
so you need to get rid of the brackets, first. here's a snippet from my
config (written before the {true}{false} bit of ${if became optional):
accept condition = ${if and {{match {$sender_helo_name}\
{\N^\[(.+)\]$\N}}\
{isip4 {$1}}}\
{true}{false}}
accept condition = ${if and {{match {$sender_helo_name}\
{\N^(?i)\[IPv6:(.+)\]$\N}}\
{isip6 {$1}}}\
{true}{false}}
(note the need to use isip4 and isip6 separately to do this accurately)
too achieve the effect I suggested, duplicate the stanzas like so:
accept condition = ${if and {{match {$sender_helo_name}\
{\N^\[(.+)\]$\N}}\
{isip4 {$1}}}\
{eq {$1}{$sender_host_address}}}
deny condition = ${if and {{match {$sender_helo_name}\
{\N^\[(.+)\]$\N}}\
{isip4 {$1}}}}
for the pedantic: this may fail for IPv6 since the HELO address
provided by the client may not be canonicalised, and as far as I can
tell, Exim doesn't have a function to test two IP addresses for
equality. actually, the same is true for IPv4, but it is less common to
use something like 127.000.000.001. note also that a leading zero
traditionally signifies octal, but that is specifically not the case
here!
> I don't junk [qu.o.t.ed] IP addresses though as there is the possibility
> they are legit :/ Looking at the logs though 100% are spams, and so far
> they've all been rejected for other reasons.
I had a look at our logs, there were a few unauthenticated occurences of
this. some looked like misconfigured MUA (Thunderbird?) which uses our
server as a smarthost -- those users will only be able to send e-mail to
our users (their colleagues), but some people never notice that. I
don't think rejecting with a weird HELO error would help them to realise
what the problem is :-)
I also found one server which used HELO for its NATed address
(produktregisteret.no if anyone wonders).
overall the number of messages triggering rules related to this is
miniscule. I counted 89 messages out of 526886 reaching DATA, and only
one of them was a spam with SpamAssassin score < 4.
> I'm also dropping HELO's that arn't authenticated/local that give me a
> single word as helo, ie no dot. And a few other million things.
> condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
yes, this is very effective.
--
Kjetil T.