[exim-dev] ACL for outgoing connections?

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-dev
Nowe tematy: Re: [exim-dev] ACL for outgoing connections?
Temat: [exim-dev] ACL for outgoing connections?
Hello,

I'm just attending the "Mailserver Conference" in Berlin (gave a talk
about Exim as an MTA-Framework ;)

One of the questions that I got: Can we somehow control how outgoing
connections continue in face of *any* condition?

Somehow it fits again into the gap with checks for an outgoing TLS
connection, but in a more general way. So, basically it's the
continuation of my messages from last week :)

(The actual question was: I'd like to tear down the outgoing connection
as soon as I'm faced with a specific (E)SMTP banner. -- Don't ask why.)

My short answer was: no, we can't.

The long answer could be - why not? Can't we have something like ACL for
outgoing connections? Assuming, we are the client MTA, the following
flow could be possible?

    [ smtp_continue_connect = <acl> ]   # final measure to prevent connecting
    C ->    tcp connect
      <- S  250 ESMTP ready


    [ smtp_continue_ehlo = <acl> ]      # stop in face of bad unfriendly banner
    C ->    EHLO mail.example.com
      <- S  250-Nice to meeto you, but we do not like
            250 you.


    [ smtp_continue_mail <acl> ]        # stop if expected options are missing
    C ->    MAIL FROM:<foo@???>
    …
    C ->    STARTTLS
      <-    220 TLS GO AHEAD


    [ smtp_continue_tls_handshake = <acl> ]
      ~~~~ tls handshake
      <~ S  250 ESMTP ready


    [ smtp_continue_tls_ehlo = <acl> ]
    C ~>    EHLO mail.example.com



Configuration example:

    ----------------
    begin transports


        remote_smtp:
            driver = smtp
            smtp_continue_ehlo = banner_check
            smtp_continue_tls_ehlo = tls_policy_check
            …


    begin acl


    banner_check:
        deny  condition = ${if matches{$remote_smtp_banner}{foobar}}
        accept


    tls_policy_check:
        accept verify = dane


    ----------------



Thoughts anybody?

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-