Autor: Sebastian Arcus Data: Dla: exim-users Temat: Re: [exim] ACL to early reject connections from hosts which keep on
retrying after a permanent reject
On 25/01/18 10:24, Sebastian Arcus via Exim-users wrote: > On 25/01/18 09:20, Jeremy Harris wrote:
>> On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:
>>> I can see in the ratelimit db quite a few hosts
>>> which have reached the 5/24h limit. But strangely in the Exim log I
>>> can't see the appropriate reject messages - although I can see reject
>>> messages for various other ACL's I've set up. Searching by the offending
>>> IP addresses in the logs, I can see them retrying over and over again -
>>> and yet my initial connect ACL never seems to kick in and deny the
>>> connection. I can't really think of a reason for this.
>>
>> Test with -bh and -d
>>
>
> I tried running a connection test on one of the IP addresses which show
> as having reached 5.0 in the ratelimit database, and I get:
>
> ratelimit computed rate 4.6
>
> I suppose this is because some time has passed since their last
> connection - and I think that's why it doesn't work as expected. I think
> I need to have the first ACL - on connect, which is read-only in my case
> - check for 5, but the others, check for a higher number. It seems that
> the ratelimit in other ACL's increase the counter to 5, but then, by the
> time the client connects again, the counter in the db is just below 5
> (for example 4.9) - the ratelimit condition in the connect ACL is never
> true - but at the same time, the later ACL's which are supposed to
> increase the counter, don't do it any more, as it would take it past
> 5.0. I will try something like below, to see if it works:
>
> acl_check_connect:
>
> drop message = Temporary ban - too many retries
> ratelimit = 5 / 24h / per_conn / readonly
>
>
> acl_check_helo:
>
> deny message = "Bad HELO (impersonates our host)"
> condition = ${if match{$sender_helo_name}{$primary_hostname}}
> !ratelimit = 10 / 24h / per_conn / leaky
>
> acl_check_rcpt:
>
> deny message = Relay is not permitted
> !domains = +local_domains : +relay_to_domains
> !ratelimit = 10 / 24h / per_conn / leaky
In case it helps anybody - I can confirm that the code above works and
the naughty hosts are being blocked at connection time now. As explained
in my other post, I prefer to use 'leaky' for the ACL's which increase
the counter - but with a higher limit than the ACL which does the
rejection. This is so that the counters don't increase out of control,
in case of misconfiguration (such as commenting out by accident the ACL
which does the blocking, for example).