I'd presume you could do an lsearch either in or before the condition.Chirpy had linked to a page early on in this post with the following
...
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
...
The bummer is having to put these all in individually, if anyone knows of a script to do this I'd be a very happy man![]()
#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = : 127.0.0.1
2007-05-18 20:59:19 1Hp7fb-0001mW-Ai <= [email protected] H=(hostname.domain.com) [xxx.xxx.xxx.xxx] P=esmtp S=2366 [email protected] T="mailman test" from <[email protected]> for [email protected]
2007-05-18 20:59:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Hp7fb-0001mW-Ai
2007-05-18 20:59:20 1Hp7fb-0001mW-Ai => list <[email protected]> F=<[email protected]> R=mailman_virtual_router T=mailman_virtual_transport
2007-05-18 20:59:20 1Hp7fb-0001mW-Ai Completed
2007-05-18 20:59:23 H=localhost (hostname.domain.com) [127.0.0.1] rejected EHLO or HELO hostname.domain.com: Forged HELO: hostname.domain.com Spoof Attempt
2007-05-18 20:59:23 H=localhost (hostname.domain.com) [127.0.0.1] rejected EHLO or HELO hostname.domain.com: Forged HELO: hostname.domain.com Spoof Attempt
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}\
{+local_domains}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
# Someone is trying to spoof a domain on the server
if ($sender_helo_name != server.name and IP != 127.0.0.1){
deny condition = ${if match_domain{$sender_helo_name}\
{+local_domains}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
}
2007-05-20 13:17:25 1HpjPf-0007xt-RB <= [email protected] H=[B](localhost.localdomain) [71.175.45.122][/B] P=smtp S=4025 [email protected] T="Benefits of Viagra" from <[email protected]> for [email protected]
2007-05-20 13:17:25 1HpjPf-0007xt-RB => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_userdelivery
I think what nisse was trying to convey was that we need to move the entire HELO check to 'check_recipient' instead of in the actual exim HELO routine. Keep your accept at the top of the ACL for localhost but let's add a line to our rule that causes it to not fire if hosts is empty. When you do that does it work?Have anyone tried this? It doesn't work for me, I've put:
Code:check_recipient: accept hosts = : 127.0.0.1
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
!hosts = :
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
I've added this to the check_recipient acl on my test box, and so far it seems to not even be needed. It's never actually hit on a piece of mail. Each one that had a reference to localhost was blocked earlier by the RBL rules. Today I might test this by relaxing the RBLs and watching to see what this rule does.This thread looks dead :D
Anyway, I've noticed some lines like the one below that these ACL's don block
Code:2007-05-20 13:17:25 1HpjPf-0007xt-RB <= [email protected] H=[B](localhost.localdomain) [71.175.45.122][/B] P=smtp S=4025 [email protected] T="Benefits of Viagra" from <[email protected]> for [email protected] 2007-05-20 13:17:25 1HpjPf-0007xt-RB => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_userdelivery
# deny localhost in HELO name (TRIAL)
deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}}
message = $sender_helo_name contains localhost reference
log_message = Bad HELO: $sender_helo_name contains localhost reference
!hosts = +relay_hosts
!authenticated = *
!hosts = : +relay_hosts
No, this still ommits mailman for working, just tried itI think what nisse was trying to convey was that we need to move the entire HELO check to 'check_recipient' instead of in the actual exim HELO routine. Keep your accept at the top of the ACL for localhost but let's add a line to our rule that causes it to not fire if hosts is empty. When you do that does it work?
Code:# Someone is trying to spoof a domain on the server deny condition = ${if match_domain{$sender_helo_name}{+local_domains}} !hosts = : message = Forged HELO: you are not $sender_helo_name log_message = Forged HELO: $sender_helo_name Spoof Attempt
I've put this on one server and I will let you know what happens in the next few daysCode:# deny localhost in HELO name (TRIAL) deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}} message = $sender_helo_name contains localhost reference log_message = Bad HELO: $sender_helo_name contains localhost reference !hosts = +relay_hosts !authenticated = *
Add 127.0.0.1 to it and see what you get:valkira said:No, this still ommits mailman for working, just tried it
!hosts = : 127.0.0.1
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
[B]!hosts = : +relay_hosts[/B]
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
Nice! The reason (from what small knowledge I've gained reading on exim) is that when exim sends locally hosts is empty, so essentially that rule is saying that if hosts is set to empty or one of the allowed relays exim should accept the email. When a spammer sends mail hosts wouldn't be empty so it should work in theory.I've just tested this and MAILMAN WORKS, I'm just not sure if it will also allow spammers to send mail, so please TEST it. (It's serversphere idea, so give hime credit for this)
Code:# Someone is trying to spoof a domain on the server deny condition = ${if match_domain{$sender_helo_name}{+local_domains}} [B]!hosts = : +relay_hosts[/B] message = Forged HELO: you are not $sender_helo_name log_message = Forged HELO: $sender_helo_name Spoof Attempt
This seems to be workingI've added this to the check_recipient acl on my test box, and so far it seems to not even be needed. It's never actually hit on a piece of mail. Each one that had a reference to localhost was blocked earlier by the RBL rules. Today I might test this by relaxing the RBLs and watching to see what this rule does.
Code:# deny localhost in HELO name (TRIAL) deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}} message = $sender_helo_name contains localhost reference log_message = Bad HELO: $sender_helo_name contains localhost reference !hosts = +relay_hosts !authenticated = *
2007-05-20 17:24:19 1HpnGc-0004cl-9y <= [email protected] U=username P=local-bsmtp S=27817 [email protected] T="*****SPAM***** What do you say about this?" from <[email protected]> for [email protected]
2007-05-20 17:24:20 1HpnGd-0004cw-CL <= [email protected] U=username P=local-bsmtp S=27819 [email protected] T="*****SPAM***** What do you say about this?" from <[email protected]> for [email protected]
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:42:26 H=rrcs-24-123-46-195.central.biz.rr.com (localhost.localdomain) [24.123.46.195] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
Hm, the reason it's being temporarily rejected is because it can't perform the authenticated test for some reason. Where did you put the rule? In which ACL?2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:42:26 H=rrcs-24-123-46-195.central.biz.rr.com (localhost.localdomain) [24.123.46.195] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL[/CODE]
Yes, should be moved down to recipient - authentication test is failing because it hasn't been done at the helo_acl.It's the last rule in check_helo ACL, just before accept
EDIT: it's a rule to check for localhost.localdomain during HELO so I've put it in check_helo ACL, but now I think it should have been put in the check_recipient, or am I wrong!?