Re: [exim] Blocking a Class C

Top Page
Delete this message
Reply to this message
Author: Slavko
Date:  
To: exim-users
Subject: Re: [exim] Blocking a Class C
Dňa 11. decembra 2022 17:15:10 UTC používateľ Jeremy Harris via Exim-users <exim-users@???> napísal:

>> I am using the SNI variable in connect ACL, to filter rogue
>> connections eg. with my MX name or no SNI at all (465).
>
>Doing that never would have worked for non- TLS-on-connect,
>and now it won't work ever. Your 465 operations will need
>rethinking in this respect.


I am aware of that and i was talking about 465 connections
of course. (BTW, i don't expose 587 MSA's port to public at all for
multiple years)

>> Also, you previously mention using not valid certificate for wrong
>> SNI name to get TLS failed (or so). It is not clear for me if you mean
>> certificate with not valid name or file which is not certificate (eg.
>> /dev/null).
>
>The latter. Logged error messsages become a little abstruse, but
>it does what's needed (the TLS startup fails).


Thanks, i will play with this and return to it (if needed) in future.

>>      LOG: ... temporarily rejected EHLO or HELO ...:
>>          cannot test encrypted condition in EHLO or HELO ACL

>
>Ah, ok. There has always been a specific lockout against trying
>to use that ACL condition in that circumstance, because it make no
>sense for STARTTLS. And TLS-on-connect wasn't thought of.


In case of STARTTLS, it makes no sense for me in connect ACL,
but there it works. In helo ACL it makes sense for me, eg. to skip
checks for second EHLO (after STARTTLS), especially with the
same HELO (EHLO) name as before. What i miss here?

>Sorry to have misled you.


No problem, at least i test, that it still works as i described ;-)

regards


--
Slavko
https://www.slavino.sk/