On 10/06/2021 13:52, Cyborg via Exim-users wrote:
> After reading the paper a bit closer, rejecting the entire connection when a HTTP headerline is detected,
> seems to be only valid option here, as long as ALPN isn't implemented widely.
Do we need ACL-level visibilty of a synprot-rejected line?
> Heikos suggestion to set smtp_max_synprot_errors = 0 is the workaround to go atm.
But, ALPN implemented by what protocols?
If the common attack method uses HTTPS to attack an SMTP server, and the clients
for the former do ALPN, we could usefully update Exim to refuse TLS connections
offering any ALPN
(or, perhaps, any but "ESMTP" - though that really ought to be registered at
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
)
Doing that doesn't need any action or development on the part of other MTAs.
I'll admit it only helps for dumb attackers who use a ready-made webclient.
The next level would be something like
- server option hosts_require_alpn
- client options hosts_offer_alpn, hosts_require_alpn
And logging.
--
Cheers,
Jeremy
