Hi Bill,
On Tue, 2012-09-04 at 17:57 +0000, W B Hacker wrote:
> Always Learning wrote:
> >
> > In ACL HELO how can one match the data in the HELO/EHLO line ? I want
> > to match 'Microsoft ESMTP MAIL Service' and then drop or reject the
> > connection.
> >
> > 220 galsrv1.galvatech.local Microsoft ESMTP MAIL Service, Version:
> > 6.0.3790.4675 ready at Wed, 5 Sep 2012 03:29:41 +1000
> >
> > 220 adstudio.co.za Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675
> > ready at Tue, 4 Sep 2012 19:31:48 +0200
> Experiment with this before going TOO far.
I've got 4 mail servers I can play with.
> Not ALL of those using EMM ASS tools are bad-actors, and blocking on
> anyhting but the LAST MILE sending server is dodgy:
>
> ===
>
> warn
> logwrite = Traversing MS ESMTP test
> regex = ^HELO:: .*Microsoft ESMTP MAIL
> log_message = $sender_host_address matched MS ESMTP
> ===
>
> CAVEAT: Half-vast adapted from a different test, and NOT TESTED.
>
> Expect it will need correction from someone more expert than I.
>
> But you get the drift.
>
> FWIW, I just add the offending ISP to my LBL or their IP pool to the OS
> FW tables.
>
> Lower-resource tests than a regex, and less drivel in logs.
What I ideally sought was a once-off solution. Your interesting regext
examines all the headers in the DATA ACL. I was seeking something which
examines the incoming HELO line in the HELO ACL.
If I can't find it, will probably go for the address block blocking in
IPT.
Thanks,
Paul.
--
Paul.
England,
EU.