On 2008-02-11 at 16:02 -0800, Jeff Lasman wrote:
> I've been studying this for about nine hours now and I'm not getting
> anywhere <frown>.
>
> I see similar messages in my mainlog:
>
> <snip>
> 2008-02-11 15:57:37 1JOiWn-0005QW-E3 <= nhzpnlaqmsdg@???
> H=(67.30.130.182) [125.110.187.29] P=smtp S=2271
> The IP# in parenthesis is the server's IP#. The IP# in square brackets
> is always in the is always an IP# beginning with 125.110.
The value in parentheses is the value used by the sender in the HELO
line when it started talking SMTP to your server.
I'll solve both problems, providing ACLs for you to use; if you already
have ACLs in these places, merge this into your existing ACLs.
In the first section of your Exim configuration, have:
----------------------------8< cut here >8------------------------------
hostlist blocked_addresses = 125.110.0.0/16
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
----------------------------8< cut here >8------------------------------
Then after the "begin acl" line have:
----------------------------8< cut here >8------------------------------
acl_connect:
accept hosts = @[] : +relay_from_hosts
deny hosts = +blocked_addresses
message = Your IP address should not be talking to me
accept hosts = *
delay = 3s
acl_check_helo:
accept hosts = @[] : @
endpass
deny condition = ${if and{\
{isip{$smtp_command_argument}}\
{match_ip{$smtp_command_argument}{@[]}}\
} {yes}{no}}
message = How can you possibly have my IP address?
delay = 30s
accept
----------------------------8< cut here >8------------------------------
The ACLs process their rules in order, using first-found accept/deny
match. (That's simplified, but for the rules used here it's accurate)
The first ACL is for SMTP connections and:
* accepts connections from yourself or from relayed hosts
(if you don't have a relay_from_hosts hostlist, just drop that from
the line)
* rejects connections from the IP addresses matched by the
blocked_addresses hostslist
* accepts all other connections, but with a short delay which will
cause bad SMTP speakers that just pump commands without waiting to
have a protocol synchronisation error and get dropped
The second ACL:
* accepts any HELO/EHLO supplied from the local host
* rejects any HELO/EHLO which is an IP address where that IP address
belongs to your local host
* accepts any other HELO/EHLO
> Or is this email really from 125.110?
The value in square brackets is authoritative. You should have a file
called "spec.txt" somewhere, it shipped with Exim; otherwise, see the
online version at
www.exim.org, this is The Exim Specification. See
section 49.6, "Logging message reception" which includes:
----------------------------8< cut here >8------------------------------
Misconfigured hosts (and mail forgers) sometimes put an IP address, with or
without brackets, in the HELO or EHLO command, leading to entries in the log
containing text like these examples:
H=(10.21.32.43) [192.168.8.34]
H=([10.21.32.43]) [192.168.8.34]
This can be confusing. Only the final address in square brackets can be relied
on.
----------------------------8< cut here >8------------------------------
Regards,
-Phil
