Mailing List Archive

Am 28.05.23 um 04:04 schrieb AC via Exim-users:
> I was searching through the lists and reading the documentation but
> I'm coming up short on blocking IP only senders.
>
> I've seen ACLs checking sender_helo_name using isip{} but that doesn't
> seem to do anything for the case of a literal IP:
>
> H=([185.17.76.25])
>
> What's the proper way to check for the above condition and reject it?
>
Simple:

drop    message         = invalid NON-FQDN HELO ($sender_helo_name),
please talk to your mailserveradmin about this
           condition  = ${if
match{$sender_helo_name}{\N^\[[0-9]+.*\N}{0}{1}}     <- unchecked regex,
may need adjustment
           condition  = ${if match{$sender_helo_name}{\N(\.|:)\N}{0}{1}}
           ... add more rules to your needs...

you should add a rule, which skips, if the sender host is it's own
localhost via smtp.

Looks like this in the logs:

2023-05-28 09:36:46 H=(localhost) [117.7.227.162] rejected MAIL
<hqih8fu3v6mc@brandcapital.ru>: invalid NON-FQDN HELO (localhost),
please talk to your mailserveradmin about this


best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-05-28 01:29, Cyborg via Exim-users wrote:
> Am 28.05.23 um 04:04 schrieb AC via Exim-users:
>> I was searching through the lists and reading the documentation but
>> I'm coming up short on blocking IP only senders.
>>
>> I've seen ACLs checking sender_helo_name using isip{} but that doesn't
>> seem to do anything for the case of a literal IP:
>>
>> H=([185.17.76.25])
>>
>> What's the proper way to check for the above condition and reject it?
>>
> Simple:
>
> drop    message         = invalid NON-FQDN HELO ($sender_helo_name),
> please talk to your mailserveradmin about this
>            condition  = ${if
> match{$sender_helo_name}{\N^\[[0-9]+.*\N}{0}{1}}     <- unchecked regex,
> may need adjustment
>            condition  = ${if match{$sender_helo_name}{\N(\.|:)\N}{0}{1}}
>            ... add more rules to your needs...
>
> you should add a rule, which skips, if the sender host is it's own
> localhost via smtp.
>
> Looks like this in the logs:
>
> 2023-05-28 09:36:46 H=(localhost) [117.7.227.162] rejected MAIL
> <hqih8fu3v6mc@brandcapital.ru>: invalid NON-FQDN HELO (localhost),
> please talk to your mailserveradmin about this
>
>
> best regards,
> Marius
>

Thanks, I already did check localhost but it appears what I was after
was actually sender_host_name being empty which, from what I understand,
is what H=([ip]) actually represents in the logs (if that's not the case
hopefully someone can correct me).

Now, along the same lines, which ACL would handle the TLS connection
phase (the portion of the connection where the error: "TLS error on
connection from ... (gnutls_handshake): The TLS connection was
non-properly terminated")? I'd like to put a similar rule in to block
connections from IP only sources.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 28. mája 2023 9:35:07 UTC používate? AC via Exim-users <exim-users@lists.exim.org> napísal:

>Thanks, I already did check localhost but it appears what I was after was actually sender_host_name being empty which, from what I understand, is what H=([ip]) actually represents in the logs (if that's not the case hopefully someone can correct me).

There are two names of remote client, the one used in EHLO
SMTP command and one from IPs PTR record.

The EHLO name is shown in log only if it differs from (confirmed)
PTR name

The PTR name is in log only if that name's IP matches client's
IP (is confirmed) and exim is configured to obtain that PTR
name (i do it on MTA but don't do it on MSA).

Thus full host entry in log has format (if EHLO & PTR names
differs)

H=ptr_name (ehlo_name) [client_ip]

The log entry "H=([ip]) ..." means, that here is not (confirmed)
PTR name and client used IP literal in EHLO name. It is expected
on MSA (from users), but AFAIK has not be used by MTA
nowadays (i do not accept it). Address literal is basically
IP (with prefix for IPv6) enclosed in squared brackets, thus
simple ${sg} regex can detect it...

These squared brackets can be confusing, as real IP is
enclosed in them in logs too, but notice the "normal" brackets,
which encloses EHLO name...

Check docs for appropriate variables for these names and
related settings, they are on multiple different places.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 28/05/2023 03:04, AC via Exim-users wrote:
> I've seen ACLs checking sender_helo_name using isip{} but that doesn't seem to do anything for the case of a literal IP:
>
> H=([185.17.76.25])
>
> What's the proper way to check for the above condition and reject it?

There's no "One True Way".

Here's one possible:

deny condition = ${if isip{${sg{$sender_helo_name} {\N^[[](.*)]$\N} {$1}}}}

> what I was after was actually sender_host_name being empty which, from what I understand, is what H=([ip]) actually represents in the logs (if that's not the case hopefully someone can correct me).

No. Please ready the docs on $sender_host_name:

https://exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html


> Now, along the same lines, which ACL would handle the TLS connection phase (the portion of the connection where the error: "TLS error on connection from ... (gnutls_handshake): The TLS connection was non-properly terminated")?

That could be associated with several ACLs; they act on SMTP commands
received, but that error is a TLS-level thing (a layer down in the
protocol stack).

> I'd like to put a similar rule in to block connections from IP only sources.

You need to re-evaluate.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-05-28 03:10, Slavko via Exim-users wrote:
> D?a 28. mája 2023 9:35:07 UTC používate? AC via Exim-users <exim-users@lists.exim.org> napísal:
>
>> Thanks, I already did check localhost but it appears what I was after was actually sender_host_name being empty which, from what I understand, is what H=([ip]) actually represents in the logs (if that's not the case hopefully someone can correct me).
>
> There are two names of remote client, the one used in EHLO
> SMTP command and one from IPs PTR record.
>
> The EHLO name is shown in log only if it differs from (confirmed)
> PTR name
>
> The PTR name is in log only if that name's IP matches client's
> IP (is confirmed) and exim is configured to obtain that PTR
> name (i do it on MTA but don't do it on MSA).
>
> Thus full host entry in log has format (if EHLO & PTR names
> differs)
>
> H=ptr_name (ehlo_name) [client_ip]
>
> The log entry "H=([ip]) ..." means, that here is not (confirmed)
> PTR name and client used IP literal in EHLO name. It is expected
> on MSA (from users), but AFAIK has not be used by MTA
> nowadays (i do not accept it). Address literal is basically
> IP (with prefix for IPv6) enclosed in squared brackets, thus
> simple ${sg} regex can detect it...
>
> These squared brackets can be confusing, as real IP is
> enclosed in them in logs too, but notice the "normal" brackets,
> which encloses EHLO name...
>
> Check docs for appropriate variables for these names and
> related settings, they are on multiple different places.
>
> regards
>
>

Thank you for the clarification. So in the case of the log showing
H=(hostname) [ip] then the HELO/EHLO name matched the hostname obtained
by RDNS of the ip but if I saw H=hostname (other_hostname) [ip] then the
HELO/EHLO did not match the RDNS of the IP? What about when the hostname
is not in parenthesis in this format H=hostname [ip]?

I ask because I tried implementing this deny rule:

${if def:sender_host_name {no}{yes}}

And this rule is triggering on cases where I have H=(hostname) [ip]
but not in cases where I have H=hostname [ip]

An example from my recent logs:

H=cumin.exim.org [37.120.190.30]
This passed the above rule (meaning it found sender_host_name and
returned "no")

H=(223-22-233-97.mobile.dynamic.aptg.com.tw) [223.22.233.97]
This failed the above rule (sender_host_name was not defined and the
rule returned "yes")

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 28/05/2023 11:34, AC via Exim-users wrote:
> What about when the hostname is not in parenthesis in this format H=hostname [ip]?

https://exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 28. mája 2023 10:34:33 UTC používate? AC via Exim-users <exim-users@lists.exim.org> napísal:

>Thank you for the clarification. So in the case of the log showing H=(hostname) [ip] then the HELO/EHLO name matched the hostname obtained by RDNS of the ip but if I saw H=hostname (other_hostname) [ip] then the HELO/EHLO did not match the RDNS of the IP? What about when the hostname is not in parenthesis in this format H=hostname [ip]?

Consider PTR record returning "example.org" and client
sends "example.org" in EHLO, thus ehlo name matches
PTR name, two cases can happen:

+ PTR name is confirmed, thus variable has that name
and in log:

H=example.org [IP]

+ PTR name is not confirmed, thus variable has not
any value a in log:

H=(example.org) [IP]

Now consider PTR record returning "example.org" and client
sends "example.com" in EHLO, thus ehlo name doesn't matches
PTR name, two cases can happen again:

+ PTR name is confirmed, thus variable has that name
and in log:

H=example.org (example.com) [IP]

+ PTR name is not confirmed, thus variable has not
any value a in log:

H=(example.com) [IP]

In other words, one can distinguish different EHLO &
PTR names, if PTR was comfirmed. If PTR was not
confirmed, one cannot know if these names matches
or not from log entry, nor if PTR was not confirmed
or PTR doesn't exists at all. One even cannot know,
if PTR is missing or IP of that name is missing...

When i start to deal with that, i even draw flowchart,
but once you get it, it is simple ;-)

>I ask because I tried implementing this deny rule:
>
>${if def:sender_host_name {no}{yes}}

You can simplify that condition by negation and
leave default ${if} results in most cases:

${if !def:sender_host_name}

>H=cumin.exim.org [37.120.190.30]

PTR confirmed (and matches EHLO), thus variable has
value (is defined).

>H=(223-22-233-97.mobile.dynamic.aptg.com.tw) [223.22.233.97]

PTR missing or not confirmed, thus variable is empty
(is not defined).

Note, empty variable (value) is the same as not defined,
the defined references variable's value, not the variable
itself...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/