Helpful Exim ACLs -- Add Your Own

[mctDarren]

using accept authenticated = * all my clients email can't received any email

Ouch, well then that's not going to work. Sorry about that! Still learning the ins and outs of these ACLs. Looks like I'll have to whip out the Exim book and do some more reading for this one... In the meantime, I would comment out the offending script.

 

[mctDarren]

Well, I'm wondering if the domain check is even viable at this point. It seems to catch localhost (Mailman), it catches those who use their domain on their office network (I had one of these as well isputra - but I informed them and they changed to use their ISP hostname). I think I may scrap that section in my configuration for now.

Ideas I had were an SPF check - accept if spf matches, a whitelist containing accepted hostnames or trying some sort of dns lookup. But they are either not viable or defeat the purpose of quickly dismissing a bad HELO.

Thoughts, ideas anyone? Thanks!

 

[Imai]

I do not have an idea.
I just want to say its very nice of you to initiate such a noble idea.
I hope the advanced users can contribute
happy new year
Binto

 

[lloyd_tennison]

http://www.rvskin.com/index.php?page=public/antispam#4.3 seems to have almost all the same items you have here and the authenticated works.

## Added from http://www.rvskin.com/index.php?page=public/antispam#4.3
#
# Be polite and say HELO. Reject anything from hosts that haven't given
# a valid HELO/EHLO to us.
##
deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}

##
#  Forged hostname - HELOs as one of my own IPs
##
# Forged HELO (our ip/hostname)
deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to us
e it in HELO/EHLO as per RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
       

##
# Forged hostname - HELOs as my own hostname or domain
##
# accept helo which is in local_domain if we relay or had smtp auth
deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per
RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
       

##
# Hacked HELO (DOMAIN.com) (constructed by viruses)
##
deny message = Hacked HELO: you are not $sender_helo_name
        condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
        condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *

 

[isputra]

http://www.rvskin.com/index.php?page=public/antispam#4.3 seems to have almost all the same items you have here and the authenticated works.

## Added from http://www.rvskin.com/index.php?page=public/antispam#4.3
#
# Be polite and say HELO. Reject anything from hosts that haven't given
# a valid HELO/EHLO to us.
##
deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}

##
#  Forged hostname - HELOs as one of my own IPs
##
# Forged HELO (our ip/hostname)
deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to us
e it in HELO/EHLO as per RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
       

##
# Forged hostname - HELOs as my own hostname or domain
##
# accept helo which is in local_domain if we relay or had smtp auth
deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per
RFC Standards.
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *
        condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
       

##
# Hacked HELO (DOMAIN.com) (constructed by viruses)
##
deny message = Hacked HELO: you are not $sender_helo_name
        condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
        condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
        !hosts = @[]
        !hosts = +rv_relay_hosts
        !authenticated = *

Hi,

What is this for :

!hosts = @[]
!hosts = +rv_relay_hosts

Thanks

 

[lloyd_tennison]

Look back at the original link on their site. They use several of those values in the rest of their postings for RBL and whitelisting.

 

[lloyd_tennison]

Also, in regards to http://vamos-wentworth.org/exim-tricks.html

Do not use the faked yahoo, et al. They will not work if the message is a reply or a forward or anything that may have those domains in the header. It cannot use the full header, as that may even have any of those. (He said he was going to change/fix that posting - but that was two years ago, so he probably got distracted.)

I tried it for a couple of hours years ago and really messed things up....

 

[mctDarren]

http://www.rvskin.com/index.php?page=public/antispam#4.3

Now THAT is an awesome link!! Thanks for that one. I see what they are doing now, rather than simply passing the mail through at the beginning as I suggested they have the authentication check in the conditions of each one. Very nice! :D

 

[mctDarren]

http://vamos-wentworth.org/exim-tricks.html ... Do not use the faked yahoo, et al.

Never tried them - now I'm glad I didn't.

 

[gflamerich]

Does anyone has any new info regarding mailman???? how disappointing

Here is a link with a few acl rules, will appreciate very much if someone explains a little more all the options they have?

http://www.ols.es/exim/acl/helo.acl

Here are some more stuff.
http://www.ols.es/exim/acl/

Maybe we can rewrite all this thread info in one post and have a nice how-to that helps sysadmins to fight spam. (But just wait to fix the mailman trouble :D )

 

[endelwar]

So I am (now - after changing it) testing this, which is similar to the exim standard check for mailman traffic:

# Accept mailman deliveries
  accept   condition    = \
           ${if and {{match{$sender_helo_name}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}
           endpass
           log_message = $sender_helo_name resides in mailman-passed

Hi, I'm testing this rule and I've still problem with mailman, look at this log:

2007-01-30 21:46:36 1HBzsC-0003ki-5X <= [email protected] H=(ug-out-1314. google.com) [66.249.92.170] P=esmtp S=2835 [email protected] gmail.com
2007-01-30 21:48:00 1HBzsC-0003ki-5X => montellug <[email protected]> R=mai lman_virtual_router T=mailman_virtual_transport
2007-01-30 21:48:00 1HBzsC-0003ki-5X Completed
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:08 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:09 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt
2007-01-30 21:48:09 H=localhost (server1.sonsof.net) [127.0.0.1] rejected EHLO o r HELO server1.sonsof.net: Forged HELO: server1.sonsof.net Spoof Attempt

A mail from a valid server (gmail) and from a valid subscribed to the mailing list sends a mail (to [email protected]) and is blocked from the last of your antispoof rule (the domain one) and I had to comment it to let mailman work.

Also it would be useful to have logged also the id of the email in the logs where one of your rules is met.

And thanks for your work!

 

[mctDarren]

Yes, I am sorry I haven't followed up on this thread. Got extremely busy and simply forgot. I disabled that check on all our servers for now, until I get some time to sit down and figure out the mailman problem.

 

[10101]

Hi,

We are only using one of the ACL's from this thread and it's doing a good job of blocking email:

#####################################################
# IP Only is sent as the HELO
deny condition = ${if match {$sender_helo_name}\
{^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$}\
{yes}{no}}
message = Your server announces itself ($sender_helo_name) with a plain \
IP address which is in breach of RFC2821.
log_message = Bad HELO: IP Only Announce
#####################################################

Is this ACL safe? Is this checking if the HELO is IP only or does it block it if it just contains an IP?

 

[mctDarren]

^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$
-snip-
Is this ACL safe? Is this checking if the HELO is IP only or does it block it if it just contains an IP?

The regular expression statement above recognizes any set of numbers set up in a format like an IP address. It would also catch "111111.2222222.3333333.4444444", even though that's a bogus IP address. Basically it's saying "Any string of four number sets, separated by decimals, that begin and end with the numbers". The "^" at the start means that the string must begin with a number and the "$" at the end means that the string must also end with a number. Hope that helps make it more clear, regex's can be tricky!

 

[10101]

Thanks for the reply So is this rule safe in your opinion? Are others using this ok?

 

[mctDarren]

Sure, the only people it will block are those who have their MTAs set to announce as IP only, which are usually only spammers. You might get the occasional server that sends directly and has been misconfigured but should be far and few between.

 

[jenlepp]

We're using all the ACL's but the mailMan killer on 4 servers, and the IP catcher has definitely stopped scores of spams. Quite stunning. No lost mail complaints yes, so It seems safe to me.

Nice job, webtiva.

 

[valkira]

I've put the ACL on one of our server, if I don't get hundreds of calls tommorow it means it surely works

 

[jenlepp]

I just wanted to update - I've been using this since I posted, and I have had absolutely no complaints from anyone about lost mail. In checking resource usage, as well, this had a phenominal effect across all four servers and dramatically reduced MailScanner's resource usage to levels so low that I thought something was wrong with it. Checking the logs shows 9447 emails rejected in the last two days on one server (my smallest and least busy). Wow.

The results were consistent across all four servers hosting several hundred sites each. I am disgustingly impressed. :D

Thanks again!

 

[mctDarren]

The results were consistent across all four servers hosting several hundred sites each. I am disgustingly impressed

Awesome! Very nice to hear some positive results.