[exim-dev] Will you accept a new acl_smtp_auth_unadvertised …

Pàgina inicial
Delete this message
Reply to this message
Autor: u34
Data:  
A: exim-dev
Assumpte: [exim-dev] Will you accept a new acl_smtp_auth_unadvertised ?
Consider

  do {
      S: 220 exim at your service
      C: ehlo harassing.client
      S: 250-whatever
         250 will not advertise auth
      C: auth
      S: 503 AUTH command used when not advertised
      C: quit
      S: 221 exim closing connection
  } (forever)


Am I right that the best way exim offers to deal with harassing.client
is by external means, such as FAIL2BAN?

I think that a better solution is with ratelimiting harassing.client.
Because most of the infrastructure is here. At exim. For example,

--- smtp_in.c    2020-05-30 20:35:38.000000000 +0000
+++ smtp_in.c.mod    2020-09-15 15:12:38.223868353 +0000
@@ -4041,16 +4041,21 @@


     case AUTH_CMD:
       HAD(SCH_AUTH);
       authentication_failed = TRUE;
       cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;


       if (!fl.auth_advertised && !f.allow_auth_unadvertised)
     {
+    if (  acl_smtp_auth_unadvertised
+       && ((rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_auth_unadvertised, NULL,
+                &log_msg)) == ERROR))
+        log_write(0, LOG_MAIN|LOG_PANIC, "ACL for unadvertised AUTH returned ERROR: %s",
+        log_msg);
     done = synprot_error(L_smtp_protocol_error, 503, NULL,
       US"AUTH command used when not advertised");
     break;
     }
       if (sender_host_authenticated)
     {
     done = synprot_error(L_smtp_protocol_error, 503, NULL,
       US"already authenticated");


acl_smtp_auth_unadvertised is expected to be limited in capabilities.
Conceptually, similar to the limited acl_smtp_quit. I still have to try
to code it.
In general, will you incoporate something like that in the code?