Gitweb:
https://git.exim.org/exim.git/commitdiff/7411ebe05198d5365557b6c982b76ceb9e843894
Commit: 7411ebe05198d5365557b6c982b76ceb9e843894
Parent: 25cd313cfb1f29f179319daf81de63e989d442a7
Author: Phil Pennock <phil+git@???>
AuthorDate: Thu Oct 29 22:14:45 2020 -0400
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:20 2021 +0200
Default config: reject on too many bad RCPT
An example exploit failed against my system, because I had this sanity guard in
place; it's not a real security fix since a careful attacker could find enough
valid recipients to hit that problem, but it highlights that this is a useful
enough pattern that we should encourage its wider use.
(cherry picked from commit 2a636a39fff29b7c3da1798767a510dfed982a62)
(cherry picked from commit 346f96bad326893f9c1fa772a5b8ac35b1f8f7bd)
---
doc/doc-txt/ChangeLog | 2 ++
src/src/configure.default | 14 ++++++++++++++
2 files changed, 16 insertions(+)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c219275..d741e35 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -256,6 +256,8 @@ HS/01 Enforce absolute PID file path name.
HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
+PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
+
Exim version 4.94
-----------------
diff --git a/src/src/configure.default b/src/src/configure.default
index 6127a9b..87f255a 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -458,6 +458,20 @@ acl_check_rcpt:
require verify = sender
+ # Reject all RCPT commands after too many bad recipients
+ # This is partly a defense against spam abuse and partly attacker abuse.
+ # Real senders should manage, by the time they get to 10 RCPT directives,
+ # to have had at least half of them be real addresses.
+ #
+ # This is a lightweight check and can protect you against repeated
+ # invocations of more heavy-weight checks which would come after it.
+
+ deny condition = ${if and {\
+ {>{$rcpt_count}{10}}\
+ {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+ message = Rejected for too many bad recipients
+ logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
# so we set control=submission to make Exim treat the message as a
