On 12.01.2016 17:40, Viktor Dukhovni wrote:
> On Tue, Jan 12, 2016 at 04:27:25PM +0000, Drav Sloan wrote:
>
>>> OK, so this begs the question that if the RFC says a client MUST issue a
>>> HELO/EHLO before a mail transaction, then shouldn't Exim refuse to accept
>>> MAIL FROM until a HELO/EHLO has been received *and* accepted? (ie, doing a
>>> "deny" and issuing a 5xx response should leave Exim in its initial 'still
>>> looking for a HELO/EHLO or non-mail transaction command')
>>
>> I've always dealt with that situation in the rcpt acl:
>>
>> # some spammers can't be bothered saying HELO
>> deny condition = ${if eq{$sender_helo_name}{}{yes}{no}}
>> !hosts = +relay_from_hosts
>> message = RFCs mandate HELO/EHLO before mail can be sent
>
> If Exim returns a 5XX banner or a 5XX response to HELO/EHLO, then
> it should continue to return unconditional 5XX responses to all
> other commands (up to a configurable limit, at which point it can
> hang up). The remote SMTP client should have disconnected immediately
> after the 5XX banner or 5XX HELO/EHLO response, if it fails to do
> so, it should not IMHO be up to each administrator to have to
> implement logic to refuse service to the misbehaved client.
Exim's flexibility is great, so I understand if people are reluctant
about changing the behavior (though "no" means "no"....).
Reading the documentation (not the source), there is no indication that
a deny in acl_smtp_helo doesn't work the way people might expect. So I
guess the documentation should include a warning and an example like
acl_check_helo:
deny
condition = ${if isip{$sender_helo_name}}
set acl_m_invalidhelo = 1
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
deny
condition = ${if match{$sender_helo_name}{$primary_hostname}}
log_message = HELO is MY primary hostname
set acl_m_invalidhelo = 1
and checking scl_m_inalidhelo in acl_smtp_rcpt to get a real deny....
(of course the checks could just be moved to acl_smtp_rcpt instead).
--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)
Patrick von der Hagen
Zirkel 2, Gebäude 20.21, Raum 004.2
76131 Karlsruhe
Telefon: +49 721 608-46433
E-Mail: [email protected]
Web: http://www.scc.kit.edu
KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
