Re: [exim] Blocking HELO with IP, but not for autenticated u…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Cardwell
Date:  
À: exim-users
Sujet: Re: [exim] Blocking HELO with IP, but not for autenticated users
* on the Fri, Jun 08, 2007 at 02:37:54AM -0700, Phil Pennock wrote:

>> Another problem: I'd like to block the HELO/EHLO with IPs or not FQDN, but I
>> MUST allow this for all my autenticated users...
>>
>> I want to reject these E-Mail as soon as possible.
>> Has Exim an ACL that be called after "MAIL FROM"?
>
> Yes; you can find a quick list of all of the ACLs in section 40.2 of The
> Exim Specification (spec.txt which came with your Exim). These are also
> listed in the policy controls in section 14.11 of spec.txt.
>
> You'll also want to read section 40.16 on ACL variables.
>
> > If yes, then I can reject the E-Mail with invalid HELO/EHLO and not
> > autenticated direct after MAIL FROM...
>
> In your authenticators use server_set_id to set $authenticated_id.
>
> Use the ACL run at HELO time to set a connection ACL variable (acl_c*);
> with a recent enough Exim this can be named (acl_c_helo_was_ip),
> otherwise you'll need to allocate a number in your configuration
> (acl_c0). Give it a value of "yes" or "no".
>
> In the ACL run at SMTP MAIL time, reject based on two conditions.
>
>   deny   message = Go away, foul fiend
>        condition = $acl_c_helo_was_ip
>        condition = ${if eq{$authenticated_id}{}}

>
> Please remember that some broken mail senders do not deal well with a
> mail-system which rejects at MAIL time, so you might be better off
> rejecting at RCPT time instead.


It's a simpler than that. you don't need to touch your authenticators or
set an acl variable. Just do this in your mail acl:

deny !authenticated = *
     condition      = ${if isip{$sender_helo_name}{true}{false}}
     message        = You're not authenticated and your HELO was an IP I'll leave the FQDN


Although he originally specified it must be a fqdn. So I guess rather
than using isip you might:

deny !authenticated = *
     !condition     = ${if match{$sender_helo_name}{\N^([A-Za-z0-9]+([A-Za-z0-9-]*[A-Za-z0-9]+)?\.)+[A-Za-z]+$\N}}
     message        = You're not authenticated and your HELO is not a FQDN


All of the above is untested (including the regex)

Mike