Helpful Exim ACLs -- Add Your Own

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
using accept authenticated = * all my clients email can't received any email
Ouch, well then that's not going to work. Sorry about that! Still learning the ins and outs of these ACLs. :) Looks like I'll have to whip out the Exim book and do some more reading for this one... In the meantime, I would comment out the offending script.
 
Last edited:

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Well, I'm wondering if the domain check is even viable at this point. It seems to catch localhost (Mailman), it catches those who use their domain on their office network (I had one of these as well isputra - but I informed them and they changed to use their ISP hostname). I think I may scrap that section in my configuration for now.

Ideas I had were an SPF check - accept if spf matches, a whitelist containing accepted hostnames or trying some sort of dns lookup. But they are either not viable or defeat the purpose of quickly dismissing a bad HELO.

Thoughts, ideas anyone? Thanks!
 

Imai

Well-Known Member
Aug 11, 2003
45
0
156
I do not have an idea.
I just want to say its very nice of you to initiate such a noble idea.
I hope the advanced users can contribute
happy new year
Binto
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
698
1
168
http://www.rvskin.com/index.php?page=public/antispam#4.3 seems to have almost all the same items you have here and the authenticated works.



Code:
## Added from http://www.rvskin.com/index.php?page=public/antispam#4.3
#
# Be polite and say HELO. Reject anything from hosts that haven't given
# a valid HELO/EHLO to us.
##
deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}

##
#  Forged hostname - HELOs as one of my own IPs
##
# Forged HELO (our ip/hostname)
deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to us
e it in HELO/EHLO as per RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
       

##
# Forged hostname - HELOs as my own hostname or domain
##
# accept helo which is in local_domain if we relay or had smtp auth
deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per
RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
       

##
# Hacked HELO (DOMAIN.com) (constructed by viruses)
##
deny message = Hacked HELO: you are not $sender_helo_name
        condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
        condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
 

isputra

Well-Known Member
May 3, 2003
575
0
166
Mbelitar
http://www.rvskin.com/index.php?page=public/antispam#4.3 seems to have almost all the same items you have here and the authenticated works.



Code:
## Added from http://www.rvskin.com/index.php?page=public/antispam#4.3
#
# Be polite and say HELO. Reject anything from hosts that haven't given
# a valid HELO/EHLO to us.
##
deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}

##
#  Forged hostname - HELOs as one of my own IPs
##
# Forged HELO (our ip/hostname)
deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to us
e it in HELO/EHLO as per RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
       

##
# Forged hostname - HELOs as my own hostname or domain
##
# accept helo which is in local_domain if we relay or had smtp auth
deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per
RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
       

##
# Hacked HELO (DOMAIN.com) (constructed by viruses)
##
deny message = Hacked HELO: you are not $sender_helo_name
        condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
        condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
Hi,

What is this for :

!hosts = @[]
!hosts = +rv_relay_hosts

Thanks
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
698
1
168
Look back at the original link on their site. They use several of those values in the rest of their postings for RBL and whitelisting.
 

lloyd_tennison

Well-Known Member
Mar 12, 2004
698
1
168
Also, in regards to http://vamos-wentworth.org/exim-tricks.html

Do not use the faked yahoo, et al. They will not work if the message is a reply or a forward or anything that may have those domains in the header. It cannot use the full header, as that may even have any of those. (He said he was going to change/fix that posting - but that was two years ago, so he probably got distracted.)

I tried it for a couple of hours years ago and really messed things up....
 

gflamerich

Well-Known Member
Jul 21, 2003
122
0
166
Does anyone has any new info regarding mailman???? how disappointing :(

Here is a link with a few acl rules, will appreciate very much if someone explains a little more all the options they have?

http://www.ols.es/exim/acl/helo.acl

Here are some more stuff.
http://www.ols.es/exim/acl/

Maybe we can rewrite all this thread info in one post and have a nice how-to that helps sysadmins to fight spam. (But just wait to fix the mailman trouble :D )
 

endelwar

Member
May 2, 2004
9
0
151
Earth
cPanel Access Level
Root Administrator
So I am (now - after changing it) testing this, which is similar to the exim standard check for mailman traffic:
Code:
# Accept mailman deliveries
  accept   condition    = \
           ${if and {{match{$sender_helo_name}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}
           endpass
           log_message = $sender_helo_name resides in mailman-passed
Hi, I'm testing this rule and I've still problem with mailman, look at this log:
Code:
2007-01-30 21:46:36 1HBzsC-0003ki-5X <= [email protected] H=(ug-out-1314. google.com) [66.249.92.170] P=esmtp S=2835 [email protected] gmail.com
2007-01-30 21:48:00 1HBzsC-0003ki-5X => montellug <[email protected]> R=mai lman_virtual_router T=mailman_virtual_transport
2007-01-30 21:48:00 1HBzsC-0003ki-5X Completed
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:09 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:09 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
A mail from a valid server (gmail) and from a valid subscribed to the mailing list sends a mail (to [email protected]) and is blocked from the last of your antispoof rule (the domain one) and I had to comment it to let mailman work.

Also it would be useful to have logged also the id of the email in the logs where one of your rules is met.

And thanks for your work!
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Yes, I am sorry I haven't followed up on this thread. Got extremely busy and simply forgot. I disabled that check on all our servers for now, until I get some time to sit down and figure out the mailman problem. :(
 

10101

Well-Known Member
Sep 4, 2003
151
0
166
Hi,

We are only using one of the ACL's from this thread and it's doing a good job of blocking email:

#####################################################
# IP Only is sent as the HELO
deny condition = ${if match {$sender_helo_name}\
{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}\
{yes}{no}}
message = Your server announces itself ($sender_helo_name) with a plain \
IP address which is in breach of RFC2821.
log_message = Bad HELO: IP Only Announce
#####################################################

Is this ACL safe? Is this checking if the HELO is IP only or does it block it if it just contains an IP?
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$
-snip-
Is this ACL safe? Is this checking if the HELO is IP only or does it block it if it just contains an IP?
The regular expression statement above recognizes any set of numbers set up in a format like an IP address. It would also catch "111111.2222222.3333333.4444444", even though that's a bogus IP address. Basically it's saying "Any string of four number sets, separated by decimals, that begin and end with the numbers". The "^" at the start means that the string must begin with a number and the "$" at the end means that the string must also end with a number. Hope that helps make it more clear, regex's can be tricky!
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Sure, the only people it will block are those who have their MTAs set to announce as IP only, which are usually only spammers. You might get the occasional server that sends directly and has been misconfigured but should be far and few between.
 

jenlepp

Well-Known Member
Jul 4, 2005
116
2
168
Liberty Hill, TX
cPanel Access Level
DataCenter Provider
We're using all the ACL's but the mailMan killer on 4 servers, and the IP catcher has definitely stopped scores of spams. Quite stunning. No lost mail complaints yes, so It seems safe to me.

Nice job, webtiva. :)
 

jenlepp

Well-Known Member
Jul 4, 2005
116
2
168
Liberty Hill, TX
cPanel Access Level
DataCenter Provider
I just wanted to update - I've been using this since I posted, and I have had absolutely no complaints from anyone about lost mail. In checking resource usage, as well, this had a phenominal effect across all four servers and dramatically reduced MailScanner's resource usage to levels so low that I thought something was wrong with it. Checking the logs shows 9447 emails rejected in the last two days on one server (my smallest and least busy). Wow.

The results were consistent across all four servers hosting several hundred sites each. I am disgustingly impressed. :D

Thanks again!
 
Last edited: