Hi, Gary -
You might want to check that this *deny* in your acl_check_helo really is
currently operating as you hope. Marius Stan asked a question here back in
January after finding that issuing a *deny* in that ACL didn't prevent the
client from then sending an email. See this thread in the archives:
https://lists.exim.org/lurker/message/20160112.075958.9fce4713.en.html
If memory serves, the RFC says clients *should* issue a HELO/EHLO before
any SMTP commands and *must* issue one before starting a mail transaction
(eg, using "MAIL FROM").
However in practice Marius found that if Exim issued a 5xx rejection to the
HELO/EHLO the client could, if it wished, continue with a MAIL FROM.
I confirmed this, and furthermore found that Exim was happy to start a mail
transaction with MAIL FROM without a HELO/EHLO being issued at all! :-(
Drav Sloan later posted a nice little ACL entry to be used in
acl_check_rcpt to enforce RFC compliance by rejecting recipients if no
HELO/EHLO had been received. (I think this could in fact probably be put
into acl_check_mail to refuse the MAIL FROM rather than the RCPT TO.)
https://lists.exim.org/lurker/message/20160112.162725.27061e53.en.html
Going back to your question, you're not constrained to only checking the
*$sender_helo_name* within the acl_check_helo ACL; you could put this or a
similar test within acl_check_mail or acl_check_rcpt; you could then
position it after the user authenticates.
Cheers,
Mike B-)
On 7 July 2016 at 10:40, Gary Stainburn <gary.stainburn@???>
wrote:
> I have the following check in acl_check_helo
>
> deny hosts = !+relay_from_hosts
> message = Your server with the IP $sender_host_address is with\
> help name ($sender_helo_name) configured incorrectly. \
> Email has been blocked. (HELO Error)
> condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
>
> This rejects emails if the hello name isn't a FQDN. It is one of the most
> successful checks as it stops a lot of SPAM pretty much as soon as the
> connection is made.
>
> However, I have a number of remote users who use (unfortunately) Windows
> and
> Office. These laptops use the computer's name as the helo name, e.g.
> LSALES7, which is not valid.
>
> I've had to add additional conditions, one for each laptop to allow them to
> work.
>
> condition = ${if match{$sender_helo_name}{LSALES7}{no}{yes}}
>
> As I was adding another one today I was wondering if there is a better way.
> Every one of these users authenticates before they are allowed to send
> emails. I was wondering how I could use this information to come up with a
> better solution.
>
> The problem is of course that this check is done before the user
> authenticates.
>
> Does anyone have any ideas?
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:
www.york.ac.uk/it-services
Disclaimer:
www.york.ac.uk/docs/disclaimer/email.htm
