Re: [exim] Blocking Authenticated Exim user whose ip address…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Blocking Authenticated Exim user whose ip address is in an RBL
normallybaffled wrote:
> Hi, I am looking for a way to apply dnslists to users that authenticate to
> our exim servers that are connecting via ISPs that have large sections of of
> their dynamic ip pools in various RBL's.
> Can I do this by simply applying :
>
>  deny dnslists = dnsbl.njabl.org : \
>                   cbl.abuseat.org : \
>                   sbl-xbl.spamhaus.org : \
>                   bl.spamcop.net
>         message = $sender_host_address is listed in $dnslist_domain\
>                   ${if def:dnslist_text { ($dnslist_text)}

>
> in the acl_check_helo: part of the acl as below?
>
> begin acl
>
> acl_check_helo:
>         accept  hosts = +own_hosts

>
>         deny    condition = ${if or { \
>                                 {eq
> {${lc:$sender_helo_name}}{ourdomain.net}} \
>                                 {eq
> {${lc:$sender_helo_name}}{mail2.ourdomain.net}} \
>                                 {eq
> {${lc:$sender_helo_name}}{ourdomain2.net}} \
>                                 {eq
> {${lc:$sender_helo_name}}{mail3.ourdomain.net}} \
>                                 {eq {${lc:$sender_helo_name}}{our_ips_etc}}
> \
>                                 } {true}{false} }

>
>        deny dnslists = dnsbl.njabl.org : \
>                   cbl.abuseat.org : \
>                   sbl-xbl.spamhaus.org : \
>                   bl.spamcop.net
>         message = $sender_host_address is listed in $dnslist_domain\
>                   ${if def:dnslist_text { ($dnslist_text)}

>
>>>> or am i off track??


Perhaps very much so.

> any help on this would be appreciated.
> thanks
> /normallybaffled
>


You shoudl ordinarily expect that travelers, WiFi users, adsl, dsl, residantial
dial-up WILL be on IP-blocks not intended for MTA use AND that fact alone
doesn't mean they should be denied secure login if they are otherwse bona-fide
members of your user community. (one DOES require secure UID:PWD match?)

Quite the reverse - 'responsible' connectivity ISP may volunteer their dynamic
pools to an RBL as it can help shut-down WinZombie routes to the outside.
Hopefully they also intercept port 25 but NOT port 587.

EX: I hard-block the *dsl networks of the two ISP's that I use the most, one US
based, one Hong Kong based. These may or may not be in an RBL.

But it does not affect my *users* authenticated login at all.

Given that;

- 'our users' must arrive on port 587, and no other, and should NOT be expected
to have PTR RR and such of their own, eg: WILL be in dynamic-IP blocks on DHCP
more often than not..

and that:

- 'foreign' mail must arive on port 25 and no other, and *should* have PTR RR
and NOT be on dynamic IP

... the rules are very simple:

Anything you want applied to your 'user community' AND NOT foreign arrivals:

     condition   = ${if eq{$interface_port}{587}}


and/or (if still using obsolete port 465 as well as port 587)

     !condition   = ${if eq{$interface_port}{25}}



Anything applied to 'foreign' MTA submitting for local delivery:

     condition   = ${if eq{$interface_port}{25}}


Authorized relay_from hosts rules may also be needed, but are straightforward.

CAVEAT: Do not forget to ALSO test that authentication has actually suceeded for
those port 587 arrivals.

That is very important, but cannot be done at time of initial connection as it
has not yet taken place.

The above rules, OTOH, are good from the first instant until the end of the session.

One may also make the tests and use the result to stuff a value into an acl_c
and transfer it to an acl_m or even a custom header - thereby making it
available all the way into routers, transports, and even the message itself if
looked at a year later, such as:

X-Ourfolks: originating submission from an authenticated user

HTH,

Bill