Herron has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/372174 )
Change subject: WIP: Add acl to warn on forged HELO messages on
lists.wikimedia.org
......................................................................
WIP: Add acl to warn on forged HELO messages on lists.wikimedia.org
For testing/prep purposes log a warning if remote side is not in allowed list
and sends HELO claming to be a domain, hostname or IP that belongs to us.
Change from warn to delay & drop after testing.
Bug: T173338
Change-Id: I8b9fd41177cc681aa64228f96a83257ef0781ffe
---
M modules/profile/templates/exim/exim4.conf.mailman.erb
1 file changed, 19 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/74/372174/1
diff --git a/modules/profile/templates/exim/exim4.conf.mailman.erb
b/modules/profile/templates/exim/exim4.conf.mailman.erb
index e5b52da..ca3c1ec 100644
--- a/modules/profile/templates/exim/exim4.conf.mailman.erb
+++ b/modules/profile/templates/exim/exim4.conf.mailman.erb
@@ -32,6 +32,7 @@
# Policy control
acl_smtp_connect = acl_check_connect
+acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
@@ -130,6 +131,24 @@
acl_check_connect:
accept
+acl_check_helo:
+
+ # warn if remote tries to send HELO < a local domain > (change from
warn to delay & drop after testing)
+ warn message = HELO failure ref1
+ condition = ${if
match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
+ !hosts = +wikimedia_nets : +relay_from_hosts
+ log_message = HELO failure ref1 (Remote said: HELO
$sender_helo_name which matches a domain listed in local_domains)
+ #delay = 45s
+
+ # warn if remote tries to send HELO < my primary hostname > (change
from warn to delay & drop after testing)
+ warn message = HELO failure ref2
+ condition = ${if match{$sender_helo_name}{$primary_hostname}}
+ !hosts = +wikimedia_nets : +relay_from_hosts
+ log_message = HELO failure ref2 (Remote said: HELO
$sender_helo_name which equals my primary_hostname of $primary_hostname)
+ #delay = 45s
+
+ accept
+
acl_check_data:
# Let's trust local senders to not send out spam
accept hosts = +wikimedia_nets
--
To view, visit https://gerrit.wikimedia.org/r/372174
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8b9fd41177cc681aa64228f96a83257ef0781ffe
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
