Exim ACL Queries

[anup123]

Hi.

Would it be OK to have checks included in conf file for following scenario (which by default is not there) :

1. Reject RCPT from Remote Hosts which use IP Address in HELO/EHLO :: example:

2004-09-22 08:03:17 H=(XXX.XXX.XXX.XXX) [202.62.95.35] F=<3h@3jc3kd1lf0lf.ic> rejected RCPT <user@domainonmyserver.com>: remote host used IP HELO/EHLO greeting.

XXX.XXX.XXX.XXX is 99% of the time IP Address from our IP Addresses server IP for name based hosting accounts or IP Address of domainonmyserver.com with dedicated ip.

2. Reject RCPT From Remote Hosts which use localdomains in HELO/EHLO :: example:

2004-09-22 08:03:17 H=(domainonmyserver.com) [202.62.95.35] F=<3h@3jc3kd1lf0lf.ic> rejected RCPT <user@domainonmyserver.com>: remote host used our name in HELO/EHLO greeting.

3. Reject RCPT from hosts which send out F <> to addressed to multiple users as bounce mails are normally sent to one user at a time?

TIA
Anup

[chirpy]

If by OK, you mean whether it would likely cause valid email to be blocked, then here's my reading of the RFC's (821, 2821):

The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal

A domain literal is expressed as [ddd.ddd.ddd.ddd]

So, the remote server should identify itself either by it's own hostname or by it's domain literal if it has nod DNS entry for its hostname.

This would suggest that blocking email using your servers domain name or IP address in the EHLO/HELO command would be a valid thing to do since it is clearly breaking the RFC.

However, what if it is your own SMTP server connecting to itself through port 25 sending email? That is, scripts using the SMTP protocol to send out email, rather than using /usr/sbin/sendmail. Then you're stuffed. If you don't have or want any scripts doing this, it might be OK, but there's the warning on doing that.

I don't understand your third question. Can you explain in in SMTP terms?

[anup123]

Hi,

Regarding the cases:

The additions (which you could correct if they are wrong):

deny
message = Message was delivered by ratware
log_message = remote host used IP address in HELO/EHLO greeting
condition = ${if isip {$sender_helo_name}{true}{false}}
delay = 20s

deny
message = Message was delivered by ratware
log_message = remote host did not present HELO/EHLO greeting.
condition = ${if def:sender_helo_name {false}{true}}

# Likewise if the peer greets with one of our own names
deny
message = Message was delivered by ratware As Headers Are Forged.
log_message = remote host used our name in HELO/EHLO greeting.
condition = ${if match_domain{$sender_helo_name}\
{$primary_hostname:+local_domains:+relay_domains}\
{true}{false}}
delay = 20s

deny
message = Message was delivered by ratware
log_message = remote host did not present HELO/EHLO greeting.
condition = ${if def:sender_helo_name {false}{true}}

For the third case:

drop
message = Legitimate bounces are never sent to more than one \
recipient.
senders = : postmaster@*
condition = $recipients_count

For the domain literal as i said in 99% of the case, it's our IP's. However, what should be the change so that if they present their own IP, then the same is not rejected...

Log entry for Third case:

2004-09-22 14:12:20 1CA2ch-0006v2-Bp H=(mail3.affordablehosting.com) [216.131.95.48] F=<> rejected after DATA: Legitimate bounces are never sent to more than one recipient.
Thanks
Anup

[anup123]

However, what if it is your own SMTP server connecting to itself through port 25 sending email? That is, scripts using the SMTP protocol to send out email, rather than using /usr/sbin/sendmail. Then you're stuffed. If you don't have or want any scripts doing this, it might be OK, but there's the warning on doing that.

I have this tested (ie a proprietory webmail script) using localhost SMTP and there are no problems wrt that. So this issue is taken care of. This script is something like what you offer and in fact it wouldn't work with sendmail wrapper ... good for me .... as that enabled me to use the Virus scanning for attachments.

Thanks
Anup

[chirpy]

I'm glad it's working. Does the domain literals work correctly since it is presented as [ddd.ddd.ddd.ddd] rather than without the []'s?

I guess I'd be a little wary of that. Then again, since a lot of MTA's these days (notably sendmail) bounce emails that don't have a reverse lookup on the IP address (I notice that this isn't something often mentioned in anti-spam measures much for exim) then it may be a moot point.

I would also caution that on very busy emails servers the 20s wait could pop you over smtp_accept_max with waiting children (which I found to my cost when looking into the dictionary attack ACL).

[anup123]

I'm glad it's working. Does the domain literals work correctly since it is presented as [ddd.ddd.ddd.ddd] rather than without the []'s?

I guess I'd be a little wary of that. Then again, since a lot of MTA's these days (notably sendmail) bounce emails that don't have a reverse lookup on the IP address (I notice that this isn't something often mentioned in anti-spam measures much for exim) then it may be a moot point.

I would also caution that on very busy emails servers the 20s wait could pop you over smtp_accept_max with waiting children (which I found to my cost when looking into the dictionary attack ACL).

On the delay ... yes that i am thinking of removing ... as w/o that also it serves the purpose.
As for other ACL's are they ok to work with?

On The domain literal fron, this is how logs show :
2004-09-23 07:42:00 H=(xx.xx.xxx.xxx) [218.247.166.82] .....
Where, as usual, our IP (xx.xx.xxx.xxx) is part of the HELO/EHLO though [] is correctly presented i hope.

Even when our IP is not used, the same is like this:
2004-09-23 07:57:14 H=(211.230.19.227) [211.230.19.227] F=<jklgkj.@dgfhf.jh>

Which is ok for rejection??

Thanks for your time

Anup

[chirpy]

Looks good - it helps that exim reports the IP address as the hostname when domain literals are used and so the match works. Let us know if you run into any problems with the ACL's.

[anup123]

Thanks.
I have removed the delay=xx from all

If IP is being reported, like in the second case of previous post, is it fine to reject or not. If not then how to get rejection to work only when our IP's are being used and accept the rest... Just trying to reduce the dependance on RBL's (though it has hardly made any differene in the total count of dubious mails).

Thanks
Anup

[chirpy]

I would look at using conditional statements comparing the IP address to the ones configured for the server. How you do this will be interesting. Worst case, you could simply have a condition per line for each IP address hard-coded in. An alternative would be to call a perl script which checks /etc/ips

[anup123]

Would the following work:

# Forged HELO (our ip/hostname)

deny
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: is our interface address

deny
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name is one of our local domains

Anup

[chirpy]

Without research I couldn't say for sure. I'd suggest running them on a test environment if possible and test each rule and the situations it will encounter to be sure. Sorry that I can't be more help in that.

[anup123]

At least per following logs it does well to differentiate between the local ips and the remote ones:

2004-09-23 19:44:40 H=(200.233.69.160) [200.233.69.160] F=<g8eqhwss0@qcg.com> rejected RCPT <mjennings@domainonmyserver.com>: Message rejected because (200.233.69.160) [200.233.69.160] is blacklisted at sbl-xbl.spamhaus.org see http://www.spamhaus.org/query/bl?ip=200.233.69.160

So this passed thru the HELO ACL to the next one where it got trapped by the RBL's ...

With local ips the log shows:

2004-09-23 20:25:56 H=(xx.xx.xxx.xxx) [61.73.36.189] F=<asf@oiwyiwe.fqefw.weqe> rejected RCPT <dschaenzer@domainonmyserver.com>: Forged HELO: is our interface address

So it does differentiate between what's in /etc/ips and what's not... so far at least...

Anup

[anup123]

Someone mentioned to me that pacbell.net subscribers are given yahoo smtp accounts for mail relaying. Is this a fact globally? If yes then perhaps following ACL (with pacbell.net whitelisted) would escape the RBL check and yet keep SPAM from them to a low level:

deny message = Faked pacbell.net address. Transmission Denied.
senders = *@pacbell.net
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
log_message = Fake Pacbell


However to make it meaningful , would need as much information on this as available wrt pacbell.net + yahoo combination.

TIA
Anup