Re: [exim] ACL to early reject connections from hosts which …

Pàgina inicial
Delete this message
Reply to this message
Autor: Sebastian Arcus
Data:  
A: exim-users
Assumpte: Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject
On 25/01/18 09:20, Jeremy Harris wrote:
> On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:
>> I can see in the ratelimit db quite a few hosts
>> which have reached the 5/24h limit. But strangely in the Exim log I
>> can't see the appropriate reject messages - although I can see reject
>> messages for various other ACL's I've set up. Searching by the offending
>> IP addresses in the logs, I can see them retrying over and over again -
>> and yet my initial connect ACL never seems to kick in and deny the
>> connection. I can't really think of a reason for this.
>
> Test with -bh and -d
>


I tried running a connection test on one of the IP addresses which show
as having reached 5.0 in the ratelimit database, and I get:

ratelimit computed rate 4.6

I suppose this is because some time has passed since their last
connection - and I think that's why it doesn't work as expected. I think
I need to have the first ACL - on connect, which is read-only in my case
- check for 5, but the others, check for a higher number. It seems that
the ratelimit in other ACL's increase the counter to 5, but then, by the
time the client connects again, the counter in the db is just below 5
(for example 4.9) - the ratelimit condition in the connect ACL is never
true - but at the same time, the later ACL's which are supposed to
increase the counter, don't do it any more, as it would take it past
5.0. I will try something like below, to see if it works:

acl_check_connect:

drop  message   = Temporary ban - too many retries
       ratelimit = 5 / 24h / per_conn / readonly



acl_check_helo:

deny  message    = "Bad HELO (impersonates our host)"
       condition  = ${if match{$sender_helo_name}{$primary_hostname}}
       !ratelimit = 10 / 24h / per_conn / leaky


acl_check_rcpt:

deny  message    = Relay is not permitted
       !domains   = +local_domains : +relay_to_domains
       !ratelimit = 10 / 24h / per_conn / leaky