Author: Slavko Date: To: exim-users Subject: Re: [exim] drop connection on auth failure
Dňa 17. júla 2022 11:16:22 UTC používateľ Jeremy Harris via Exim-users <exim-users@???> napísal:
>>Beside the auth failed event, i miss acl and error related events, eg,
>>acl:reject,
>>acl:drop, acl:etc, or even more detailed, eg. acl:reject:stage (with
>>log_message
>>in event_data variable), Ideally with connection/TLS error events, eg.
>>conn:nomail, conn:syntaxerr, etc, again with particular error in
>>event_data. >I'm less sure about some of your other suggestions - for example on acl reject?
>You're already in an acl; why use an event to get into another?
Consider that when you want to do something (eg. log out of exim) on
any reject (drop, etc), you have to add rule to every particular ACL, which
is prone to error (eg. forget to add it). Have common action at one place,
is exatly what events are for (if i properly understand it).
Thus adding these events can be considered as extension of ${acl...}
expansion and/or acl condition idea, which are intendended to prevent
repeating of ACL rules (or to structure confing into subroutines).
I have no idea how it will (can) affect performance. But IMO at least
deffers/rejects/drops can be usefull, eg. at some attacks, which can
be simple propagated outside of exim, to act on it.
The (incomming) TLS(465)/SMTP errors are not all are going ACL, thus
one have no other option to get/count them as parse log file, which (as
stated in docs) is not intended for machine processing. There are already
similar events for outgoing connections (eg. TLS errors), but are missing
for incomming side.
Some time ago i start to use redis's streams, from which one can relative
simple get items for particular timespan and do something on it, but i
cannot get all failures into it...
Consider eg. now relative common errors -- the "AUTH used when not
advertised" or HTTP (and other) connection attempts on 25 port... The
incoming TLS errors are relative common on 465 port (MSA), where i
have strict TLS settings, and old bots or scanners are knocking...
AFAIK the eximstats script doesn't count these TLS/SMTP errors as
connection rejections too, but IMO they do not differs from drops in
result...