Chirpy had linked to a page early on in this post with the following
deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
This denies Helo's from domain names you specify, and provided you do not specify your local server's name, it should not break mailman. The bummer is having to put these all in individually, if anyone knows of a script to do this I'd be a very happy man
(it's probably easy to write).
Only writing this because no one had posted a clear solution to using a local domain spoof attempt ACL without breaking mailman... It can be done, just a bit of tedium :0
Hope it helps,
Nick
deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
This denies Helo's from domain names you specify, and provided you do not specify your local server's name, it should not break mailman. The bummer is having to put these all in individually, if anyone knows of a script to do this I'd be a very happy man
(it's probably easy to write). Only writing this because no one had posted a clear solution to using a local domain spoof attempt ACL without breaking mailman... It can be done, just a bit of tedium :0
Hope it helps,
Nick
I'd presume you could do an lsearch either in or before the condition.Chirpy had linked to a page early on in this post with the following
...
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
...
The bummer is having to put these all in individually, if anyone knows of a script to do this I'd be a very happy man
I've not tested this, but presumably this:
condition = ${lookup {$sender_helo_name} lsearch {/PATH/TO/MYDOMAINLISTFILE}{yes}{no}}
would do what you want... then just stick the domains that are yours in that list...
PLEASE TEST BEFOR USING THE CODE ABOVE!
In helping someone else today I've rediscovered this thread and promise this week to come up with a workable solution for the mailman problem. As well as add a few more checks and repost my instructions entirely to reflect all changes.
- Darren (Formerly Webtiva)
- Darren (Formerly Webtiva)
Looking through this thread it seems people are having problems with the HELO checks blocking local users. Putting "accept authenticated = *" before these checks won't work, because you're doing the checks in the HELO ACL, and any checks performed in this ACL take place BEFORE authentication takes place.
The HELO checks need to be put in the AUTH, MAIL FROM or RCPT ACL instead.
Regarding the mailman problem, try using:
accept hosts = : 127.0.0.1
The HELO checks need to be put in the AUTH, MAIL FROM or RCPT ACL instead.
Regarding the mailman problem, try using:
accept hosts = : 127.0.0.1
Have anyone tried this? It doesn't work for me, I've put:
And sending mail to a mailman list gives:
Code:
#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = : 127.0.0.1
Code:
2007-05-18 20:59:19 1Hp7fb-0001mW-Ai <= [email protected] H=(hostname.domain.com) [xxx.xxx.xxx.xxx] P=esmtp S=2366 [email protected] T="mailman test" from <[email protected]> for [email protected]
2007-05-18 20:59:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Hp7fb-0001mW-Ai
2007-05-18 20:59:20 1Hp7fb-0001mW-Ai => list <[email protected]> F=<[email protected]> R=mailman_virtual_router T=mailman_virtual_transport
2007-05-18 20:59:20 1Hp7fb-0001mW-Ai Completed
2007-05-18 20:59:23 H=localhost (hostname.domain.com) [127.0.0.1] rejected EHLO or HELO hostname.domain.com: Forged HELO: hostname.domain.com Spoof Attempt
2007-05-18 20:59:23 H=localhost (hostname.domain.com) [127.0.0.1] rejected EHLO or HELO hostname.domain.com: Forged HELO: hostname.domain.com Spoof Attempt
Last edited:
Anyway, I don't know how to try, but some one else might. My idea is in the ACL
to include an option like (in PHP way )
This will surely work for mailman, and on several our servers the Spoof attempt is always activated when a localdomain is used in HELO from a remote IP address, whenever 127.0.0.1 is mentioned in the logs it's a mailman delivery...
Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}\
{+local_domains}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
Code:
# Someone is trying to spoof a domain on the server
if ($sender_helo_name != server.name and IP != 127.0.0.1){
deny condition = ${if match_domain{$sender_helo_name}\
{+local_domains}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof Attempt
}This will surely work for mailman, and on several our servers the Spoof attempt is always activated when a localdomain is used in HELO from a remote IP address, whenever 127.0.0.1 is mentioned in the logs it's a mailman delivery...
This thread looks dead :D
Anyway, I've noticed some lines like the one below that these ACL's don block
Anyway, I've noticed some lines like the one below that these ACL's don block
Code:
2007-05-20 13:17:25 1HpjPf-0007xt-RB <= [email protected] H=[B](localhost.localdomain) [71.175.45.122][/B] P=smtp S=4025 [email protected] T="Benefits of Viagra" from <[email protected]> for [email protected]
2007-05-20 13:17:25 1HpjPf-0007xt-RB => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_userdeliveryI think what nisse was trying to convey was that we need to move the entire HELO check to 'check_recipient' instead of in the actual exim HELO routine. Keep your accept at the top of the ACL for localhost but let's add a line to our rule that causes it to not fire if hosts is empty. When you do that does it work?
Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
!hosts = :
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof AttemptI've added this to the check_recipient acl on my test box, and so far it seems to not even be needed. It's never actually hit on a piece of mail. Each one that had a reference to localhost was blocked earlier by the RBL rules. Today I might test this by relaxing the RBLs and watching to see what this rule does.
Code:
# deny localhost in HELO name (TRIAL)
deny condition = ${if match {$sender_helo_name} {\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N} {yes}{no}}
message = $sender_helo_name contains localhost reference
log_message = Bad HELO: $sender_helo_name contains localhost reference
!hosts = +relay_hosts
!authenticated = *
Code:
!hosts = : +relay_hostsI've put this on one server and I will let you know what happens in the next few days
I've just tested this and MAILMAN WORKS, I'm just not sure if it will also allow spammers to send mail, so please TEST it. (It's serversphere idea, so give hime credit for this)
Code:
# Someone is trying to spoof a domain on the server
deny condition = ${if match_domain{$sender_helo_name}{+local_domains}}
[B]!hosts = : +relay_hosts[/B]
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: $sender_helo_name Spoof AttemptNice! The reason (from what small knowledge I've gained reading on exim) is that when exim sends locally hosts is empty, so essentially that rule is saying that if hosts is set to empty or one of the allowed relays exim should accept the email. When a spammer sends mail hosts wouldn't be empty so it should work in theory.
But, I am still only standing on the outside looking in at the exim process (hence I have enough knowledge to be dangerous! lol) which is why I am stumbling through this process. I need to pour over the exim docs front to back someday soon, just haven't had the time.
This seems to be working
Code:
2007-05-20 17:24:19 1HpnGc-0004cl-9y <= [email protected] U=username P=local-bsmtp S=27817 [email protected] T="*****SPAM***** What do you say about this?" from <[email protected]> for [email protected]
2007-05-20 17:24:20 1HpnGd-0004cw-CL <= [email protected] U=username P=local-bsmtp S=27819 [email protected] T="*****SPAM***** What do you say about this?" from <[email protected]> for [email protected]
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:25:07 H=attserver.net (localhost.localdomain) [69.64.36.153] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACL
2007-05-20 17:42:26 H=rrcs-24-123-46-195.central.biz.rr.com (localhost.localdomain) [24.123.46.195] temporarily rejected EHLO or HELO localhost.localdomain: cannot test authenticated condition in EHLO or HELO ACLThanks serversphere
Hm, the reason it's being temporarily rejected is because it can't perform the authenticated test for some reason. Where did you put the rule? In which ACL?
A picture is worth a thousand words, right :D :D
It's the last rule in check_helo ACL, just before accept
EDIT: it's a rule to check for localhost.localdomain during HELO so I've put it in check_helo ACL, but now I think it should have been put in the check_recipient, or am I wrong!?
It's the last rule in check_helo ACL, just before accept
EDIT: it's a rule to check for localhost.localdomain during HELO so I've put it in check_helo ACL, but now I think it should have been put in the check_recipient, or am I wrong!?
Attachments
Last edited:
Yes, should be moved down to recipient - authentication test is failing because it hasn't been done at the helo_acl.
