Re: [exim] exim still accepting email after 550 from acl_che…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Patrick von der Hagen
Data:  
Para: exim-users
Asunto: Re: [exim] exim still accepting email after 550 from acl_check_helo
On 12.01.2016 17:40, Viktor Dukhovni wrote:
> On Tue, Jan 12, 2016 at 04:27:25PM +0000, Drav Sloan wrote:
>
>>> OK, so this begs the question that if the RFC says a client MUST issue a
>>> HELO/EHLO before a mail transaction, then shouldn't Exim refuse to accept
>>> MAIL FROM until a HELO/EHLO has been received *and* accepted? (ie, doing a
>>> "deny" and issuing a 5xx response should leave Exim in its initial 'still
>>> looking for a HELO/EHLO or non-mail transaction command')
>>
>> I've always dealt with that situation in the rcpt acl:
>>
>>   # some spammers can't be bothered saying HELO
>>   deny condition = ${if eq{$sender_helo_name}{}{yes}{no}}
>>        !hosts = +relay_from_hosts
>>        message = RFCs mandate HELO/EHLO before mail can be sent

>
> If Exim returns a 5XX banner or a 5XX response to HELO/EHLO, then
> it should continue to return unconditional 5XX responses to all
> other commands (up to a configurable limit, at which point it can
> hang up). The remote SMTP client should have disconnected immediately
> after the 5XX banner or 5XX HELO/EHLO response, if it fails to do
> so, it should not IMHO be up to each administrator to have to
> implement logic to refuse service to the misbehaved client.

Exim's flexibility is great, so I understand if people are reluctant
about changing the behavior (though "no" means "no"....).

Reading the documentation (not the source), there is no indication that
a deny in acl_smtp_helo doesn't work the way people might expect. So I
guess the documentation should include a warning and an example like

acl_check_helo:
  deny
    condition   = ${if isip{$sender_helo_name}}
    set acl_m_invalidhelo = 1
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)
  deny
    condition = ${if match{$sender_helo_name}{$primary_hostname}}
    log_message = HELO is MY primary hostname
    set acl_m_invalidhelo = 1



and checking scl_m_inalidhelo in acl_smtp_rcpt to get a real deny....

(of course the checks could just be moved to acl_smtp_rcpt instead).


--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Patrick von der Hagen

Zirkel 2, Gebäude 20.21, Raum 004.2
76131 Karlsruhe
Telefon: +49 721 608-46433
E-Mail: hagen@???
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft