Re: [exim] open relay aftermath

On Sun, Feb 13, 2011 at 11:03:51PM +0100, Moritz Wilhelmy wrote:
> Hi,

Hi,

> On Mon, Feb 14, 2011 at 10:49:49AM +1300, Jim Cheetham wrote:
> > On 14/02/11 06:59, Moritz Wilhelmy wrote:
> > > Just a stupid idea, but you could make exim append tcp_wrappers rules to
> > > /etc/hosts.deny or whereever it's located after a failed relay attempt? (in
> > > case you use tcp_wrappers, that is)
> >
> > Not a good idea to change Exim like that.
> Actually, I believe it doesn't require to "change" the exim code for that. You
> just need to append to a file, which I believe, exim already supports. Exim
> already knows where the relay attempt came from, and tcp_wrappers support
> include-directives (according to hosts_access(5), it can include files), so
> including a /var/run/exim/hosts.deny from within the global config would be
> possible as well, if you don't want to give exim write permissions on the
> global tcp_wrapper configuration file(s).
>
> Any objections?

I think this should be done at iptables level.

> > There are plenty of third-party apps like Fail2Ban and Denyhosts that
> > can be configured to read through your logfiles looking for attackers,
> > and then do any tcpwrappers/firewall configuration that you like.
> Denyhost only supports failed SSH logins, I think.
> Can't tell anything about fail2ban, but why run another daemon if exim is
> sufficient? Especially denyhosts (which I run) is very resource hungry in my
> experience.

Since libnetfilter_xtables and nftables are still in development, it
would be hard to interface directly to iptables (libiptc seems to
abandoned), so I think you could use ipset for simple IP-based blocking.
At least this is what I'm going to try.

> Best regards,
>
> Moritz

Regards,
Matthias-Christian