Re: [exim] ACL to early reject connections from hosts which …

Top Page
Delete this message
Reply to this message
Author: Mike Brudenell
Date:  
To: Exim Users
Subject: Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject
Hi, Sebastian -

You might want to try the *strict* ratelimit option instead of *leaky*…

When I was setting something up here I seem to remember that using leaky
ended up with the ratelimit value capping out at around its limit, meaning
my defence measure never kicked in. Changing to strict meant the actual
rate was recorded so clients that were hammering us were now detected and
appropriate measures taken.

(There's an explanation in the *Specification*
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#ratoptfast>
about
leaky *v* strict, but I confess I don't find it terribly clear.)

Cheers,
Mike B-)

On 25 January 2018 at 10:24, Sebastian Arcus via Exim-users <
exim-users@???> wrote:

> On 25/01/18 09:20, Jeremy Harris wrote:
>
>> On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:
>>
>>> I can see in the ratelimit db quite a few hosts
>>> which have reached the 5/24h limit. But strangely in the Exim log I
>>> can't see the appropriate reject messages - although I can see reject
>>> messages for various other ACL's I've set up. Searching by the offending
>>> IP addresses in the logs, I can see them retrying over and over again -
>>> and yet my initial connect ACL never seems to kick in and deny the
>>> connection. I can't really think of a reason for this.
>>>
>>
>> Test with -bh and -d
>>
>>
> I tried running a connection test on one of the IP addresses which show as
> having reached 5.0 in the ratelimit database, and I get:
>
> ratelimit computed rate 4.6
>
> I suppose this is because some time has passed since their last connection
> - and I think that's why it doesn't work as expected. I think I need to
> have the first ACL - on connect, which is read-only in my case - check for
> 5, but the others, check for a higher number. It seems that the ratelimit
> in other ACL's increase the counter to 5, but then, by the time the client
> connects again, the counter in the db is just below 5 (for example 4.9) -
> the ratelimit condition in the connect ACL is never true - but at the same
> time, the later ACL's which are supposed to increase the counter, don't do
> it any more, as it would take it past 5.0. I will try something like below,
> to see if it works:
>
> acl_check_connect:
>
> drop  message   = Temporary ban - too many retries
>       ratelimit = 5 / 24h / per_conn / readonly

>
>
> acl_check_helo:
>
> deny  message    = "Bad HELO (impersonates our host)"
>       condition  = ${if match{$sender_helo_name}{$primary_hostname}}
>       !ratelimit = 10 / 24h / per_conn / leaky

>
> acl_check_rcpt:
>
> deny  message    = Relay is not permitted
>       !domains   = +local_domains : +relay_to_domains
>       !ratelimit = 10 / 24h / per_conn / leaky

>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm