The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim ACL Queries

Discussion in 'General Discussion' started by anup123, Sep 21, 2004.

  1. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Hi.

    Would it be OK to have checks included in conf file for following scenario (which by default is not there) :

    1. Reject RCPT from Remote Hosts which use IP Address in HELO/EHLO :: example:

    2004-09-22 08:03:17 H=(XXX.XXX.XXX.XXX) [202.62.95.35] F=<3h@3jc3kd1lf0lf.ic> rejected RCPT <user@domainonmyserver.com>: remote host used IP HELO/EHLO greeting.

    XXX.XXX.XXX.XXX is 99% of the time IP Address from our IP Addresses server IP for name based hosting accounts or IP Address of domainonmyserver.com with dedicated ip.

    2. Reject RCPT From Remote Hosts which use localdomains in HELO/EHLO :: example:

    2004-09-22 08:03:17 H=(domainonmyserver.com) [202.62.95.35] F=<3h@3jc3kd1lf0lf.ic> rejected RCPT <user@domainonmyserver.com>: remote host used our name in HELO/EHLO greeting.

    3. Reject RCPT from hosts which send out F <> to addressed to multiple users as bounce mails are normally sent to one user at a time?

    TIA
    Anup
     
    #1 anup123, Sep 21, 2004
    Last edited: Sep 21, 2004
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If by OK, you mean whether it would likely cause valid email to be blocked, then here's my reading of the RFC's (821, 2821):
    A domain literal is expressed as [ddd.ddd.ddd.ddd]

    So, the remote server should identify itself either by it's own hostname or by it's domain literal if it has nod DNS entry for its hostname.

    This would suggest that blocking email using your servers domain name or IP address in the EHLO/HELO command would be a valid thing to do since it is clearly breaking the RFC.

    However, what if it is your own SMTP server connecting to itself through port 25 sending email? That is, scripts using the SMTP protocol to send out email, rather than using /usr/sbin/sendmail. Then you're stuffed. If you don't have or want any scripts doing this, it might be OK, but there's the warning on doing that.

    I don't understand your third question. Can you explain in in SMTP terms?
     
  3. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Hi,

    Regarding the cases:

    The additions (which you could correct if they are wrong):

    deny
    message = Message was delivered by ratware
    log_message = remote host used IP address in HELO/EHLO greeting
    condition = ${if isip {$sender_helo_name}{true}{false}}
    delay = 20s

    deny
    message = Message was delivered by ratware
    log_message = remote host did not present HELO/EHLO greeting.
    condition = ${if def:sender_helo_name {false}{true}}

    # Likewise if the peer greets with one of our own names
    deny
    message = Message was delivered by ratware As Headers Are Forged.
    log_message = remote host used our name in HELO/EHLO greeting.
    condition = ${if match_domain{$sender_helo_name}\
    {$primary_hostname:+local_domains:+relay_domains}\
    {true}{false}}
    delay = 20s

    deny
    message = Message was delivered by ratware
    log_message = remote host did not present HELO/EHLO greeting.
    condition = ${if def:sender_helo_name {false}{true}}

    For the third case:

    drop
    message = Legitimate bounces are never sent to more than one \
    recipient.
    senders = : postmaster@*
    condition = $recipients_count

    For the domain literal as i said in 99% of the case, it's our IP's. However, what should be the change so that if they present their own IP, then the same is not rejected...

    Log entry for Third case:

    2004-09-22 14:12:20 1CA2ch-0006v2-Bp H=(mail3.affordablehosting.com) [216.131.95.48] F=<> rejected after DATA: Legitimate bounces are never sent to more than one recipient.
    Thanks
    Anup
     
  4. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    I have this tested (ie a proprietory webmail script) using localhost SMTP and there are no problems wrt that. So this issue is taken care of. This script is something like what you offer :) and in fact it wouldn't work with sendmail wrapper ... good for me .... as that enabled me to use the Virus scanning for attachments. :)

    Thanks
    Anup
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'm glad it's working. Does the domain literals work correctly since it is presented as [ddd.ddd.ddd.ddd] rather than without the []'s?

    I guess I'd be a little wary of that. Then again, since a lot of MTA's these days (notably sendmail) bounce emails that don't have a reverse lookup on the IP address (I notice that this isn't something often mentioned in anti-spam measures much for exim) then it may be a moot point.

    I would also caution that on very busy emails servers the 20s wait could pop you over smtp_accept_max with waiting children (which I found to my cost when looking into the dictionary attack ACL).
     
  6. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    On the delay ... yes that i am thinking of removing ... as w/o that also it serves the purpose.
    As for other ACL's are they ok to work with?

    On The domain literal fron, this is how logs show :
    2004-09-23 07:42:00 H=(xx.xx.xxx.xxx) [218.247.166.82] .....
    Where, as usual, our IP (xx.xx.xxx.xxx) is part of the HELO/EHLO though [] is correctly presented i hope.

    Even when our IP is not used, the same is like this:
    2004-09-23 07:57:14 H=(211.230.19.227) [211.230.19.227] F=<jklgkj.@dgfhf.jh>

    Which is ok for rejection??

    Thanks for your time

    Anup
     
    #6 anup123, Sep 22, 2004
    Last edited: Sep 22, 2004
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Looks good - it helps that exim reports the IP address as the hostname when domain literals are used and so the match works. Let us know if you run into any problems with the ACL's.
     
  8. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Thanks.
    I have removed the delay=xx from all

    If IP is being reported, like in the second case of previous post, is it fine to reject or not. If not then how to get rejection to work only when our IP's are being used and accept the rest... Just trying to reduce the dependance on RBL's (though it has hardly made any differene in the total count of dubious mails).

    Thanks
    Anup
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would look at using conditional statements comparing the IP address to the ones configured for the server. How you do this will be interesting. Worst case, you could simply have a condition per line for each IP address hard-coded in. An alternative would be to call a perl script which checks /etc/ips
     
  10. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Would the following work:

    # Forged HELO (our ip/hostname)

    deny
    condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
    message = Forged HELO: you are not $sender_helo_name
    log_message = Forged HELO: is our interface address

    deny
    condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
    message = Forged HELO: you are not $sender_helo_name
    log_message = Forged HELO: $sender_helo_name is one of our local domains

    Anup
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Without research I couldn't say for sure. I'd suggest running them on a test environment if possible and test each rule and the situations it will encounter to be sure. Sorry that I can't be more help in that.
     
  12. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    At least per following logs it does well to differentiate between the local ips and the remote ones:

    2004-09-23 19:44:40 H=(200.233.69.160) [200.233.69.160] F=<g8eqhwss0@qcg.com> rejected RCPT <mjennings@domainonmyserver.com>: Message rejected because (200.233.69.160) [200.233.69.160] is blacklisted at sbl-xbl.spamhaus.org see http://www.spamhaus.org/query/bl?ip=200.233.69.160

    So this passed thru the HELO ACL to the next one where it got trapped by the RBL's ...

    With local ips the log shows:

    2004-09-23 20:25:56 H=(xx.xx.xxx.xxx) [61.73.36.189] F=<asf@oiwyiwe.fqefw.weqe> rejected RCPT <dschaenzer@domainonmyserver.com>: Forged HELO: is our interface address

    So it does differentiate between what's in /etc/ips and what's not... so far at least...

    Anup
     
  13. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    pacbell and RBL's

    Someone mentioned to me that pacbell.net subscribers are given yahoo smtp accounts for mail relaying. Is this a fact globally? If yes then perhaps following ACL (with pacbell.net whitelisted) would escape the RBL check and yet keep SPAM from them to a low level:

    deny message = Faked pacbell.net address. Transmission Denied.
    senders = *@pacbell.net
    condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
    log_message = Fake Pacbell


    However to make it meaningful , would need as much information on this as available wrt pacbell.net + yahoo combination.

    TIA
    Anup
     
Loading...

Share This Page