On 25/01/18 10:24, Sebastian Arcus via Exim-users wrote:
On 25/01/18 09:20, Jeremy Harris wrote:
On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:
I can see in the ratelimit db quite a few hosts
which have reached the 5/24h limit. But strangely in the Exim log I
can't see the appropriate reject messages - although I can see reject
messages for various other ACL's I've set up. Searching by the offending
IP addresses in the logs, I can see them retrying over and over again -
and yet my initial connect ACL never seems to kick in and deny the
connection. I can't really think of a reason for this.
Test with -bh and -d
I tried running a connection test on one of the IP addresses which show
as having reached 5.0 in the ratelimit database, and I get:
ratelimit computed rate 4.6
I suppose this is because some time has passed since their last
connection - and I think that's why it doesn't work as expected. I think
I need to have the first ACL - on connect, which is read-only in my case
- check for 5, but the others, check for a higher number. It seems that
the ratelimit in other ACL's increase the counter to 5, but then, by the
time the client connects again, the counter in the db is just below 5
(for example 4.9) - the ratelimit condition in the connect ACL is never
true - but at the same time, the later ACL's which are supposed to
increase the counter, don't do it any more, as it would take it past
5.0. I will try something like below, to see if it works:
acl_check_connect:
drop message = Temporary ban - too many retries
ratelimit = 5 / 24h / per_conn / readonly
acl_check_helo:
deny message = "Bad HELO (impersonates our host)"
condition = ${if match{$sender_helo_name}{$primary_hostname}}
!ratelimit = 10 / 24h / per_conn / leaky
acl_check_rcpt:
deny message = Relay is not permitted
!domains = +local_domains : +relay_to_domains
!ratelimit = 10 / 24h / per_conn / leaky
In case it helps anybody - I can confirm that the code above works and
the naughty hosts are being blocked at connection time now. As explained
in my other post, I prefer to use 'leaky' for the ACL's which increase
the counter - but with a higher limit than the ACL which does the
rejection. This is so that the counters don't increase out of control,
in case of misconfiguration (such as commenting out by accident the ACL
which does the blocking, for example).
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
