Hi, Gary - You might want to check that this *deny* in your acl_check_helo really is currently operating as you hope. Marius Stan asked a question here back in January after finding that issuing a *deny* in that ACL didn't prevent the client from then sending an email. See this thread in the archives:
https://lists.exim.org/lurker/message/20160112.075958.9fce4713.en.html If memory serves, the RFC says clients *should* issue a HELO/EHLO before any SMTP commands and *must* issue one before starting a mail transaction (eg, using "MAIL FROM"). However in practice Marius found that if Exim issued a 5xx rejection to the HELO/EHLO the client could, if it wished, continue with a MAIL FROM. I confirmed this, and furthermore found that Exim was happy to start a mail transaction with MAIL FROM without a HELO/EHLO being issued at all! :-( Drav Sloan later posted a nice little ACL entry to be used in acl_check_rcpt to enforce RFC compliance by rejecting recipients if no HELO/EHLO had been received. (I think this could in fact probably be put into acl_check_mail to refuse the MAIL FROM rather than the RCPT TO.) https://lists.exim.org/lurker/message/20160112.162725.27061e53.en.html Going back to your question, you're not constrained to only checking the *$sender_helo_name* within the acl_check_helo ACL; you could put this or a similar test within acl_check_mail or acl_check_rcpt; you could then position it after the user authenticates. Cheers, Mike B-) On 7 July 2016 at 10:40, Gary Stainburn <[email protected]> wrote: > I have the following check in acl_check_helo > > deny hosts = !+relay_from_hosts > message = Your server with the IP $sender_host_address is with\ > help name ($sender_helo_name) configured incorrectly. \ > Email has been blocked. (HELO Error) > condition = ${if match{$sender_helo_name}{\\.}{no}{yes}} > > This rejects emails if the hello name isn't a FQDN. It is one of the most > successful checks as it stops a lot of SPAM pretty much as soon as the > connection is made. > > However, I have a number of remote users who use (unfortunately) Windows > and > Office. These laptops use the computer's name as the helo name, e.g. > LSALES7, which is not valid. > > I've had to add additional conditions, one for each laptop to allow them to > work. > > condition = ${if match{$sender_helo_name}{LSALES7}{no}{yes}} > > As I was adding another one today I was wondering if there is a better way. > Every one of these users authenticates before they are allowed to send > emails. I was wondering how I could use this information to come up with a > better solution. > > The problem is of course that this check is done before the user > authenticates. > > Does anyone have any ideas? > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- Systems Administrator & Change Manager IT Services, University of York, Heslington, York YO10 5DD, UK Tel: +44-(0)1904-323811 Web: www.york.ac.uk/it-services Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
