Hello,
I'm just attending the "Mailserver Conference" in Berlin (gave a talk
about Exim as an MTA-Framework ;)
One of the questions that I got: Can we somehow control how outgoing
connections continue in face of *any* condition?
Somehow it fits again into the gap with checks for an outgoing TLS
connection, but in a more general way. So, basically it's the
continuation of my messages from last week :)
(The actual question was: I'd like to tear down the outgoing connection
as soon as I'm faced with a specific (E)SMTP banner. -- Don't ask why.)
My short answer was: no, we can't.
The long answer could be - why not? Can't we have something like ACL for
outgoing connections? Assuming, we are the client MTA, the following
flow could be possible?
[ smtp_continue_connect = <acl> ] # final measure to prevent connecting
C -> tcp connect
<- S 250 ESMTP ready
[ smtp_continue_ehlo = <acl> ] # stop in face of bad unfriendly banner
C -> EHLO mail.example.com
<- S 250-Nice to meeto you, but we do not like
250 you.
[ smtp_continue_mail <acl> ] # stop if expected options are missing
C -> MAIL FROM:<foo@???>
…
C -> STARTTLS
<- 220 TLS GO AHEAD
[ smtp_continue_tls_handshake = <acl> ]
~~~~ tls handshake
<~ S 250 ESMTP ready
[ smtp_continue_tls_ehlo = <acl> ]
C ~> EHLO mail.example.com
Configuration example:
----------------
begin transports
remote_smtp:
driver = smtp
smtp_continue_ehlo = banner_check
smtp_continue_tls_ehlo = tls_policy_check
…
begin acl
banner_check:
deny condition = ${if matches{$remote_smtp_banner}{foobar}}
accept
tls_policy_check:
accept verify = dane
----------------
Thoughts anybody?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
gnupg fingerprint: 9288 F17D BBF9 9625 5ABC 285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B)-
