On 10/06/2021 13:52, Cyborg via Exim-users wrote:
After reading the paper a bit closer, rejecting the entire connection when a HTTP headerline is detected, seems to be only valid option here, as long as ALPN isn't implemented widely.
Do we need ACL-level visibilty of a synprot-rejected line?
Heikos suggestion to set smtp_max_synprot_errors = 0 is the workaround to go atm.
But, ALPN implemented by what protocols? If the common attack method uses HTTPS to attack an SMTP server, and the clients for the former do ALPN, we could usefully update Exim to refuse TLS connections offering any ALPN (or, perhaps, any but "ESMTP" - though that really ought to be registered at https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids ) Doing that doesn't need any action or development on the part of other MTAs. I'll admit it only helps for dumb attackers who use a ready-made webclient. The next level would be something like - server option hosts_require_alpn - client options hosts_offer_alpn, hosts_require_alpn And logging. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
