Helpful Exim ACLs -- Add Your Own

jcorreia

Well-Known Member
Apr 25, 2005
53
0
156
Hi,
with the domain problem and link from rvskin I´m confunsed and do not wich should I follow..
Can you post the full acl that you are using ?
Thanks
 

aboleth

Well-Known Member
Sep 8, 2005
50
0
156
Chirpy had linked to a page early on in this post with the following

deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}

This denies Helo's from domain names you specify, and provided you do not specify your local server's name, it should not break mailman. The bummer is having to put these all in individually, if anyone knows of a script to do this I'd be a very happy man :) (it's probably easy to write).

Only writing this because no one had posted a clear solution to using a local domain spoof attempt ACL without breaking mailman... It can be done, just a bit of tedium :0

Hope it helps,
Nick
 

freedman

Well-Known Member
Feb 13, 2005
314
5
168
Chirpy had linked to a page early on in this post with the following
...
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
...
The bummer is having to put these all in individually, if anyone knows of a script to do this I'd be a very happy man :)
I'd presume you could do an lsearch either in or before the condition.
I've not tested this, but presumably this:

condition = ${lookup {$sender_helo_name} lsearch {/PATH/TO/MYDOMAINLISTFILE}{yes}{no}}

would do what you want... then just stick the domains that are yours in that list...

PLEASE TEST BEFOR USING THE CODE ABOVE!
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
In helping someone else today I've rediscovered this thread and promise this week to come up with a workable solution for the mailman problem. As well as add a few more checks and repost my instructions entirely to reflect all changes.

- Darren (Formerly Webtiva)
 

nisse

Well-Known Member
Nov 11, 2003
87
0
156
Looking through this thread it seems people are having problems with the HELO checks blocking local users. Putting "accept authenticated = *" before these checks won't work, because you're doing the checks in the HELO ACL, and any checks performed in this ACL take place BEFORE authentication takes place.

The HELO checks need to be put in the AUTH, MAIL FROM or RCPT ACL instead.

Regarding the mailman problem, try using:

accept hosts = : 127.0.0.1
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
Have anyone tried this? It doesn't work for me, I've put:
Code:
#!!# ACL that is used after the RCPT command


check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = : 127.0.0.1
And sending mail to a mailman list gives:

Code:
2007-05-18 20:59:19 1Hp7fb-0001mW-Ai <= [email protected] H=(hostname.domain.com) [xxx.xxx.xxx.xxx] P=esmtp S=2366 [email protected] T="mailman test" from <[email protected]> for [email protected]
2007-05-18 20:59:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Hp7fb-0001mW-Ai
2007-05-18 20:59:20 1Hp7fb-0001mW-Ai => list <[email protected]> F=<[email protected]> R=mailman_virtual_router T=mailman_virtual_transport
2007-05-18 20:59:20 1Hp7fb-0001mW-Ai Completed
2007-05-18 20:59:23 H=localhost (hostname.domain.com) [127.0.0.1] rejected EHLO or HELO hostname.domain.com: Forged HELO: hostname.domain.com Spoof Attempt
2007-05-18 20:59:23 H=localhost (hostname.domain.com) [127.0.0.1] rejected EHLO or HELO hostname.domain.com: Forged HELO: hostname.domain.com Spoof Attempt
 
Last edited:

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
Anyway, I don't know how to try, but some one else might. My idea is in the ACL

Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}\
{+local_domains}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
to include an option like (in PHP way :) )
Code:
# Someone is trying to spoof a domain on the server
if ($sender_helo_name != server.name and IP != 127.0.0.1){
deny condition = ${if match_domain{$sender_helo_name}\
{+local_domains}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
}

This will surely work for mailman, and on several our servers the Spoof attempt is always activated when a localdomain is used in HELO from a remote IP address, whenever 127.0.0.1 is mentioned in the logs it's a mailman delivery...
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Have anyone tried this? It doesn't work for me, I've put:
Code:
check_recipient:
  accept  hosts = : 127.0.0.1
I think what nisse was trying to convey was that we need to move the entire HELO check to 'check_recipient' instead of in the actual exim HELO routine. Keep your accept at the top of the ACL for localhost but let's add a line to our rule that causes it to not fire if hosts is empty. When you do that does it work?

Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
!hosts = :
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
This thread looks dead :D

Anyway, I've noticed some lines like the one below that these ACL's don block

Code:
2007-05-20 13:17:25 1HpjPf-0007xt-RB <= [email protected] H=[B](localhost.localdomain) [71.175.45.122][/B] P=smtp S=4025 [email protected] T="Benefits of Viagra" from <[email protected]> for [email protected]
2007-05-20 13:17:25 1HpjPf-0007xt-RB => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_userdelivery
I've added this to the check_recipient acl on my test box, and so far it seems to not even be needed. It's never actually hit on a piece of mail. Each one that had a reference to localhost was blocked earlier by the RBL rules. Today I might test this by relaxing the RBLs and watching to see what this rule does.

Code:
# deny localhost in HELO name (TRIAL)
deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}}
  message = $sender_helo_name contains localhost reference
  log_message = Bad HELO: $sender_helo_name contains localhost reference
  !hosts = +relay_hosts
  !authenticated = *
And now that I've come back to this thread this morning I'm wondering if I shouldn't change the hosts line to:
Code:
!hosts = : +relay_hosts
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
I think what nisse was trying to convey was that we need to move the entire HELO check to 'check_recipient' instead of in the actual exim HELO routine. Keep your accept at the top of the ACL for localhost but let's add a line to our rule that causes it to not fire if hosts is empty. When you do that does it work?

Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
!hosts = :
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
No, this still ommits mailman for working, just tried it
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
Code:
# deny localhost in HELO name (TRIAL)
deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}}
  message = $sender_helo_name contains localhost reference
  log_message = Bad HELO: $sender_helo_name contains localhost reference
  !hosts = +relay_hosts
  !authenticated = *
I've put this on one server and I will let you know what happens in the next few days
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
I've just tested this and MAILMAN WORKS, I'm just not sure if it will also allow spammers to send mail, so please TEST it. (It's serversphere idea, so give hime credit for this)

Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
[B]!hosts = : +relay_hosts[/B]
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
I've just tested this and MAILMAN WORKS, I'm just not sure if it will also allow spammers to send mail, so please TEST it. (It's serversphere idea, so give hime credit for this)

Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
[B]!hosts = : +relay_hosts[/B]
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
Nice! The reason (from what small knowledge I've gained reading on exim) is that when exim sends locally hosts is empty, so essentially that rule is saying that if hosts is set to empty or one of the allowed relays exim should accept the email. When a spammer sends mail hosts wouldn't be empty so it should work in theory.

But, I am still only standing on the outside looking in at the exim process (hence I have enough knowledge to be dangerous! lol) which is why I am stumbling through this process. I need to pour over the exim docs front to back someday soon, just haven't had the time. :)
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
I've added this to the check_recipient acl on my test box, and so far it seems to not even be needed. It's never actually hit on a piece of mail. Each one that had a reference to localhost was blocked earlier by the RBL rules. Today I might test this by relaxing the RBLs and watching to see what this rule does.

Code:
# deny localhost in HELO name (TRIAL)
deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}}
  message = $sender_helo_name contains localhost reference
  log_message = Bad HELO: $sender_helo_name contains localhost reference
  !hosts = +relay_hosts
  !authenticated = *
This seems to be working
Code:
2007-05-20 17:24:19 1HpnGc-0004cl-9y <= [email protected] U=username P=local-bsmtp S=27817 [email protected] T="*****SPAM***** What do you say about this?" from <[email protected]> for [email protected]
2007-05-20 17:24:20 1HpnGd-0004cw-CL <= [email protected] U=username P=local-bsmtp S=27819 [email protected] T="*****SPAM***** What do you say about this?" from <[email protected]> for [email protected]
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:42:26 H=rrcs-24-123-46-195.central.biz.rr.com (localhost.localdomain) [24.123.46.195] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
I noticed that the messages in exim_mainlog are not "Bad HELO: $sender_helo_name contains localhost reference" but "temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL" - I don't care as long as they can't send any mail through my servers :D

Thanks serversphere
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:42:26 H=rrcs-24-123-46-195.central.biz.rr.com (localhost.localdomain) [24.123.46.195] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL[/CODE]
Hm, the reason it's being temporarily rejected is because it can't perform the authenticated test for some reason. Where did you put the rule? In which ACL?
 

valkira

Active Member
May 3, 2004
36
0
156
Croatia
cPanel Access Level
Root Administrator
A picture is worth a thousand words, right :D :D

It's the last rule in check_helo ACL, just before accept

EDIT: it's a rule to check for localhost.localdomain during HELO so I've put it in check_helo ACL, but now I think it should have been put in the check_recipient, or am I wrong!?
 

Attachments

Last edited:

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
It's the last rule in check_helo ACL, just before accept

EDIT: it's a rule to check for localhost.localdomain during HELO so I've put it in check_helo ACL, but now I think it should have been put in the check_recipient, or am I wrong!?
Yes, should be moved down to recipient - authentication test is failing because it hasn't been done at the helo_acl.