Re: [exim] where is this mail coming from?

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Jeff Lasman
CC: exim-users
New-Topics: [exim] Problem (Was: Re: where is this mail coming from?)
Subject: Re: [exim] where is this mail coming from?
On 2008-02-11 at 16:02 -0800, Jeff Lasman wrote:
> I've been studying this for about nine hours now and I'm not getting
> anywhere <frown>.
>
> I see similar messages in my mainlog:
>
> <snip>
> 2008-02-11 15:57:37 1JOiWn-0005QW-E3 <= nhzpnlaqmsdg@???
> H=(67.30.130.182) [125.110.187.29] P=smtp S=2271


> The IP# in parenthesis is the server's IP#. The IP# in square brackets
> is always in the is always an IP# beginning with 125.110.


The value in parentheses is the value used by the sender in the HELO
line when it started talking SMTP to your server.

I'll solve both problems, providing ACLs for you to use; if you already
have ACLs in these places, merge this into your existing ACLs.

In the first section of your Exim configuration, have:
----------------------------8< cut here >8------------------------------
hostlist    blocked_addresses = 125.110.0.0/16


acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
----------------------------8< cut here >8------------------------------

Then after the "begin acl" line have:
----------------------------8< cut here >8------------------------------
acl_connect:

accept hosts = @[] : +relay_from_hosts

  deny    hosts = +blocked_addresses
          message = Your IP address should not be talking to me


  accept  hosts = *
          delay = 3s



acl_check_helo:

  accept  hosts   = @[] : @
          endpass


  deny  condition = ${if and{\
          {isip{$smtp_command_argument}}\
          {match_ip{$smtp_command_argument}{@[]}}\
          } {yes}{no}}
        message = How can you possibly have my IP address?
        delay   = 30s


accept
----------------------------8< cut here >8------------------------------

The ACLs process their rules in order, using first-found accept/deny
match. (That's simplified, but for the rules used here it's accurate)

The first ACL is for SMTP connections and:
  * accepts connections from yourself or from relayed hosts
    (if you don't have a relay_from_hosts hostlist, just drop that from
    the line)
  * rejects connections from the IP addresses matched by the
    blocked_addresses hostslist
  * accepts all other connections, but with a short delay which will
    cause bad SMTP speakers that just pump commands without waiting to
    have a protocol synchronisation error and get dropped


The second ACL:
  * accepts any HELO/EHLO supplied from the local host
  * rejects any HELO/EHLO which is an IP address where that IP address
    belongs to your local host
  * accepts any other HELO/EHLO


> Or is this email really from 125.110?


The value in square brackets is authoritative. You should have a file
called "spec.txt" somewhere, it shipped with Exim; otherwise, see the
online version at www.exim.org, this is The Exim Specification. See
section 49.6, "Logging message reception" which includes:

----------------------------8< cut here >8------------------------------
Misconfigured hosts (and mail forgers) sometimes put an IP address, with or
without brackets, in the HELO or EHLO command, leading to entries in the log
containing text like these examples:

H=(10.21.32.43) [192.168.8.34]
H=([10.21.32.43]) [192.168.8.34]

This can be confusing. Only the final address in square brackets can be relied
on.
----------------------------8< cut here >8------------------------------

Regards,
-Phil