Re: [exim] Reject servers that use my ip address as EHLO

Top Page
Delete this message
Reply to this message
Author: Patrick von der Hagen
Date:  
To: exim-users
Subject: Re: [exim] Reject servers that use my ip address as EHLO
Hi Udera,

I believe some configuration like
  deny
    condition   = ${if isip{$sender_helo_name}}
    !hosts = PROBLEMFAELLE_HELO
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)
 # Neither an address literal nor something containing dots
  deny
    !hosts = PROBLEMFAELLE_HELO
    condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
    condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


  warn
    condition   = ${if match{$sender_helo_name}{\N\.$\N}}
    log_message = HELO ending with dot
    set acl_c_greylisting = 1
  warn
    condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
    log_message = HELO contains two subsequent dots.
    set acl_c_greylisting = 1


  warn
    condition = ${if match{$sender_helo_name}{$primary_hostname}}
    log_message = HELO is MY primary hostname
    set acl_c_greylisting = 1



is quite common.

But keep in mind: if you simply deny in HELO will simply signal a deny
to the client but if the client simply ingores your response and starts
sending a message anyway, it will be accepted by exim.

There was a discussion in January about that issue, have a look at the
discussion in the archive ("exim still accepting email after 550 from
acl_check_helo").

On 20.04.2016 09:47, Udera Udera wrote:
> Dear list,
>
> I tried to implement a ACL-helo-check from the exim-wiki on github:
> https://github.com/Exim/exim/wiki/AclHeloTricks#helo-is-faked-interface-address
>
> drop    message     = Bad helo name
>         condition   = ${if  \
>                          and{    \
>                              {isip {$sender_helo_name}}  \
>                              {match_ip{$sender_helo_name}{@[]}}  \
>                          }{yes}{no}  \
>                      }

>
> But it doesn't work. Just suppose my server ip is 10.0.0.1.
>
> I want to reject servers that use my ip address as their EHLO, that would
> be:
> EHLO [10.0.0.1]
>
> Unfortunately, that does not work because
>
> isip {$sender_helo_name}
>
>
> isn't true. If the plain ip address is used, this would work but plain ip
> addresses are not allowed (and already covered by:
> https://github.com/Exim/exim/wiki/AclHeloTricks#helo-is-an-ip-address).
>
> I tried to get rid of the brackets but I didn't get the syntax right and
> I'm not sure if this is the way to go:
> drop condition = ${if
> match{${substr{1}{${length{$sender_helo_name}-2}}{$sender_helo_name}}}{@
> []}{yes}{no}}
>
> I hope someone can help me out here.
>
> Thanks a lot,
> Udera
>


--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Patrick von der Hagen

Zirkel 2, Gebäude 20.21, Raum 004.2
76131 Karlsruhe
Telefon: +49 721 608-46433
E-Mail: hagen@???
Web: http://www.scc.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft