Re: [exim] allowing bogus sender_helo_name if authenticated.

Top Page
Delete this message
Reply to this message
Author: Mike Brudenell
Date:  
To: Exim Users
Subject: Re: [exim] allowing bogus sender_helo_name if authenticated.
Hi, Gary -

You might want to check that this *deny* in your acl_check_helo really is
currently operating as you hope. Marius Stan asked a question here back in
January after finding that issuing a *deny* in that ACL didn't prevent the
client from then sending an email. See this thread in the archives:

https://lists.exim.org/lurker/message/20160112.075958.9fce4713.en.html


If memory serves, the RFC says clients *should* issue a HELO/EHLO before
any SMTP commands and *must* issue one before starting a mail transaction
(eg, using "MAIL FROM").

However in practice Marius found that if Exim issued a 5xx rejection to the
HELO/EHLO the client could, if it wished, continue with a MAIL FROM.

I confirmed this, and furthermore found that Exim was happy to start a mail
transaction with MAIL FROM without a HELO/EHLO being issued at all! :-(

Drav Sloan later posted a nice little ACL entry to be used in
acl_check_rcpt to enforce RFC compliance by rejecting recipients if no
HELO/EHLO had been received. (I think this could in fact probably be put
into acl_check_mail to refuse the MAIL FROM rather than the RCPT TO.)

https://lists.exim.org/lurker/message/20160112.162725.27061e53.en.html


Going back to your question, you're not constrained to only checking the
*$sender_helo_name* within the acl_check_helo ACL; you could put this or a
similar test within acl_check_mail or acl_check_rcpt; you could then
position it after the user authenticates.

Cheers,
Mike B-)

On 7 July 2016 at 10:40, Gary Stainburn <gary.stainburn@???>
wrote:

> I have the following check in acl_check_helo
>
>   deny   hosts = !+relay_from_hosts
>          message = Your server with the IP $sender_host_address is with\
>                  help name ($sender_helo_name) configured incorrectly. \
>                 Email has been blocked. (HELO Error)
>          condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

>
> This rejects emails if the hello name isn't a FQDN. It is one of the most
> successful checks as it stops a lot of SPAM pretty much as soon as the
> connection is made.
>
> However, I have a number of remote users who use (unfortunately) Windows
> and
> Office. These laptops use the computer's name as the helo name, e.g.
> LSALES7, which is not valid.
>
> I've had to add additional conditions, one for each laptop to allow them to
> work.
>
> condition = ${if match{$sender_helo_name}{LSALES7}{no}{yes}}
>
> As I was adding another one today I was wondering if there is a better way.
> Every one of these users authenticates before they are allowed to send
> emails. I was wondering how I could use this information to come up with a
> better solution.
>
> The problem is of course that this check is done before the user
> authenticates.
>
> Does anyone have any ideas?
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/





--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm