Re: [exim] Weirdness when forcing TLS and checking that its …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Brudenell
Date:  
À: exim users
Sujet: Re: [exim] Weirdness when forcing TLS and checking that its working in ACLs
Hi, Mike -

If you look up the description of the *logwrite* modifier in Exim's
documentation, you'll see that it says (emphasis mine):

This modifier writes a message to a log file as soon *as it is encountered*
when processing an ACL. (Compare log_message, which, except in the case of
warn and discard, is used only if the ACL statement denies access.)


That is, as soon as logwrite is reached then it performs its action and
writes out its text.

In this case you've placed the logwrite line before your *! encrypted* line,
so the logwrite is encountered first and therefore actioned (before the
encrypted test). It's therefore incorrectly logging there's a problem
with the encryption when, as you note, there isn't and so the deny
statement doesn't trigger and the message is accepted.

Try swapping the two lines, or switch to using *log_message* instead, which
doesn't do anything immediately but instead sets up a message that's used
if the ACL denies access (or a *warn* statement's conditions are true). But
do read the description of both logwrite and log_message, as there are a
few other differences: particularly in the area of logging multiple copies
of some text whilst receiving a single email.

Cheers,
Mike B-)

On Thu, 13 Feb 2020 at 14:01, Mike Tubby via Exim-users <exim-users@???>
wrote:

> All,
>
> Some government departments that we work with asked us to increase email
> security via "forced TLS" for which I developed a solution for:
>
>      a) our public email relay servers (with upstream/downstream and
> local/remote hosts - 4 legs) - this is moderately complex but all worked
> first time

>
>      b) our private email server/endpoint (with Exim+Dovecot and just in
> and out) - should have been simpler but was weird

>
> and on this journey I observed some strange behaviour.
>
> Running Exim 4.93.04 compiled on AMD64 (Dell R320) with Devuan 3.0 Beowulf.
>
>
> On our internal server I added the following at the top of the
> acl_check_mail:
>
> acl_check_mail:
>
>          #
>          # refuse all connections that are not TLS
>          #
>          deny    message = Connection not secure. You must use STARTTLS
> to send to this server!
>                  logwrite = MAIL: Denied host
> $sender_host_address:$sender_host_port not using TLS secure connection!
>                  ! encrypted = *

>
>
> and it produced the following result:
>
> 2020-02-13 09:36:51 CONNECT: New connection from 195.171.43.2 port:
> 63615 -> 195.171.43.20 port: 587
> 2020-02-13 09:36:51 CONNECT: Accept connection from host: 195.171.43.2
> in whitelist +relay_from_hosts
> 2020-02-13 09:36:51 HELO: Could not verify HELO/EHLO: [192.168.1.107]
> from remote host: 195.171.43.2 (gate.thorcom.com)
> 2020-02-13 09:36:51 HELO: Accepted HELO/EHLO [192.168.1.107] from remote
> host: 195.171.43.2 (gate.thorcom.com)
> 2020-02-13 09:36:51 CRYPTO: Client 195.171.43.2 port: 63615 issued STARTTLS
> 2020-02-13 09:36:51 HELO: Client 195.171.43.2:63615 using SSL/TLS
> cipher: TLS1.3:TLS_AES_256_GCM_SHA384:256
> 2020-02-13 09:36:51 HELO: Could not verify HELO/EHLO: [192.168.1.107]
> from remote host: 195.171.43.2 (gate.thorcom.com)
> 2020-02-13 09:36:51 HELO: Accepted HELO/EHLO [192.168.1.107] from remote
> host: 195.171.43.2 (gate.thorcom.com)
> 2020-02-13 09:36:51 MAIL: Denied host 195.171.43.2:63615 not using TLS
> secure connection!
> 2020-02-13 09:36:51 MAIL: Accept from gate.thorcom.com ([192.168.1.107])
> [195.171.43.2] as in +relay_from_hosts
> 2020-02-13 09:36:51 RCPT: Accept non-local domain for outbound delivery
>
>
> Which confused me for two reasons:
>
>      1. It says 'deny' when the connection is, infact, secure - you can
> see the TLS
>      2. It says 'deny' and then carries on to the next rule and accepts
> the MAIL command

>
> Changing the acl to read:
>
> acl_check_mail:
>
>          #
>          # report/check/deny TLS as approriate
>          #
>          warn    condition = ${if def:tls_in_cipher {1}{0}}
>                  logwrite = MAIL: Client
> $sender_host_address:$sender_host_port using SSL/TLS cipher: $tls_in_cipher

>
>          deny    condition = ${if def:tls_in_cipher {0}{1}}
>                  message = Connection not secure. You must use STARTTLS
> to send mail to this server.
>                  logwrite = MAIL: Client
> $sender_host_address:$sender_host_port NOT using TLS connection

>
>
> gives consistent results as expected and either logs the cipher in use
> or denies the connection.
>
> What did I miss?
>
>
> Mike
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
*My normal working days are Tuesdays, Wednesdays and Thursdays.*

Systems Administrator working in Teaching & Learning
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm