Discussion:
Blocking incessant relay testers with Exim 4
(too old to reply)
Juha Saarinen
1970-01-01 00:00:00 UTC
Permalink
As any MTA operator will quickly notice, relay testing by spammers is a
common occurrence. Worse, many of the idiots doing the testing ignore the
"Relay not permitted" and carry on testing, over and over again.

I'd like to deny SMTP connections to certain hosts and IP blocks, and was
wondering what is the best way of doing it with Exim 4. I can do it quite
easily with an ACL on the router, but would prefer to maintain a file with
host IP address and ranges for the MTA instead.

Thought host_reject_connection would be the way to go, initially, but
the Spec says it's better to reject at a later stage. What's the reasoning
for this?



--
Juha Saarinen


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Dave C.
2002-06-12 00:57:21 UTC
Permalink
Post by Juha Saarinen
As any MTA operator will quickly notice, relay testing by spammers is a
common occurrence. Worse, many of the idiots doing the testing ignore the
"Relay not permitted" and carry on testing, over and over again.
1. Contact the idiots' ISP and tell them they have spammers on their
networks. Worse yet, they have DUMB spammers who are too stupid to
realize their relays are failing.

2. If it continues, get your router admin to put an IP level block in to
prevent all traffic from the relevant IP's..
Post by Juha Saarinen
I'd like to deny SMTP connections to certain hosts and IP blocks, and was
wondering what is the best way of doing it with Exim 4. I can do it quite
easily with an ACL on the router, but would prefer to maintain a file with
host IP address and ranges for the MTA instead.
You can reference such a file from within an ACL.
Post by Juha Saarinen
Thought host_reject_connection would be the way to go, initially, but
the Spec says it's better to reject at a later stage. What's the reasoning
for this?
Some hosts are braindead and will keep trying over and over. Of course,
some will keep trying regardless of where you reject.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Juha Saarinen
2002-06-12 01:05:01 UTC
Permalink
Post by Dave C.
1. Contact the idiots' ISP and tell them they have spammers on their
networks. Worse yet, they have DUMB spammers who are too stupid to
realize their relays are failing.
BTDT, no response. And, I'm not the only one to complain.
http://makeashorterlink.com/?P32A21A01
Post by Dave C.
2. If it continues, get your router admin to put an IP level block in
to prevent all traffic from the relevant IP's..
Router admin? Hey... that's me! ;-)
Post by Dave C.
You can reference such a file from within an ACL.
Yes, unless I misunderstand it, there's no way to refuse SMTP connections to
specific host IP addresses and/or IP address ranges with ACLs.
Post by Dave C.
Some hosts are braindead and will keep trying over and over. Of
course, some will keep trying regardless of where you reject.
Looks like another router block then.

Cheers,

--
Juha


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Dave C.
2002-06-12 01:07:27 UTC
Permalink
Post by Juha Saarinen
Post by Dave C.
1. Contact the idiots' ISP and tell them they have spammers on their
networks. Worse yet, they have DUMB spammers who are too stupid to
realize their relays are failing.
BTDT, no response. And, I'm not the only one to complain.
http://makeashorterlink.com/?P32A21A01
Post by Dave C.
2. If it continues, get your router admin to put an IP level block in
to prevent all traffic from the relevant IP's..
Router admin? Hey... that's me! ;-)
Post by Dave C.
You can reference such a file from within an ACL.
Yes, unless I misunderstand it, there's no way to refuse SMTP connections to
specific host IP addresses and/or IP address ranges with ACLs.
I'm not sure if there is a way to completely refuse connections from
within exim at all. host_reject_connections does the following:

# telnet 127.0.0.2 25
Trying 127.0.0.2...
Connected to 127.0.0.2 (127.0.0.2).
Escape character is '^]'.
554 SMTP service not available
Post by Juha Saarinen
Post by Dave C.
Some hosts are braindead and will keep trying over and over. Of
course, some will keep trying regardless of where you reject.
Looks like another router block then.
Cheers,
--
Juha
--



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-12 10:45:14 UTC
Permalink
Post by Dave C.
I'm not sure if there is a way to completely refuse connections from
# telnet 127.0.0.2 25
Trying 127.0.0.2...
Connected to 127.0.0.2 (127.0.0.2).
Escape character is '^]'.
554 SMTP service not available
... then drops the connection. That's all it can do. True "blocking" has
to happen before the connection gets to Exim, that is, in a router or in
the host's TCP/IP stack, or using TCPWrappers or similar.


--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Juha Saarinen
1970-01-01 00:00:00 UTC
Permalink
Post by Philip Hazel
... then drops the connection. That's all it can do. True "blocking"
has to happen before the connection gets to Exim, that is, in a router
or in the host's TCP/IP stack, or using TCPWrappers or similar.
Thanks Philip, for the input.

I'll think about this some more, after the World Cup... Sweden-Argentina:
1-1; England-Nigeria: 0-0. :-)

--
Juha Saarinen


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Greg A. Woods
2002-06-12 19:07:14 UTC
Permalink
[ On Wednesday, June 12, 2002 at 11:45:14 (+0100), Philip Hazel wrote: ]
Subject: Re: [Exim] Blocking incessant relay testers with Exim 4
Post by Dave C.
I'm not sure if there is a way to completely refuse connections from
# telnet 127.0.0.2 25
Trying 127.0.0.2...
Connected to 127.0.0.2 (127.0.0.2).
Escape character is '^]'.
554 SMTP service not available
... then drops the connection. That's all it can do. True "blocking" has
to happen before the connection gets to Exim, that is, in a router or in
the host's TCP/IP stack, or using TCPWrappers or similar.
Not TCP Wrappers -- the connection is already set up when it gets it....

Host-based firewalling works though (i.e. in the host's TCP/IP stack).
With IP Filter you can either drop the packet, return host unreachable,
or return a TCP ReSeT (making it immediately look like the host exists
but doesn't run a mail server).

--
Greg A. Woods

+1 416 218-0098; <***@acm.org>; <***@ieee.org>; <***@robohack.ca>
Planix, Inc. <***@planix.com>; VE3TCP; Secrets of the Weird <***@weird.com>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Dave C.
2002-06-17 18:08:38 UTC
Permalink
Post by Philip Hazel
Post by Dave C.
I'm not sure if there is a way to completely refuse connections from
# telnet 127.0.0.2 25
Trying 127.0.0.2...
Connected to 127.0.0.2 (127.0.0.2).
Escape character is '^]'.
554 SMTP service not available
... then drops the connection. That's all it can do. True "blocking" has
to happen before the connection gets to Exim, that is, in a router or in
the host's TCP/IP stack, or using TCPWrappers or similar.
Currently, there is no way to do this based on a dnsbl lookup in exim4
(that I can tell).

How hard would it be to add an "acl_smtp_call" ?

Currently, hosts listed in an dnsbl called from acp_rcpt, have the
opportunity to send a whole ton of RCPT TO's, each one getting a 5xx.
This takes up lots of resources.

Perhaps that above would help cut this down. It could have a sanity
delay of 5s or so, just to prevent such a host from repeatedly
connecting too frequently.



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Matthew Byng-Maddick
2002-06-17 20:30:41 UTC
Permalink
Post by Dave C.
Perhaps that above would help cut this down. It could have a sanity
delay of 5s or so, just to prevent such a host from repeatedly
connecting too frequently.
2821 S4.5.3.2

Initial 220 Message: 5 minutes
MAIL Command: 5 minutes
RCPT Command: 5 minutes

You can go much better than 5s if they're being annoying. Because you're
not going to accept any mail from them, you don't have to worry about the
duplicate problem because they're never going to get that far. You just
give them a 5xx after 4 minutes to everything they send. :-)

MBM (Uses SAUCE to do that bit for him)

--
Matthew Byng-Maddick <***@colondot.net> http://colondot.net/

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-18 08:19:21 UTC
Permalink
Post by Dave C.
Post by Philip Hazel
... then drops the connection. That's all it can do. True "blocking" has
to happen before the connection gets to Exim, that is, in a router or in
the host's TCP/IP stack, or using TCPWrappers or similar.
Currently, there is no way to do this based on a dnsbl lookup in exim4
(that I can tell).
How hard would it be to add an "acl_smtp_call" ?
Easy enough, but it doesn't really help. The connection still has to be
made and passed to Exim before it could run such an ACL. This is the
same effect as host_reject_connection.
Post by Dave C.
Currently, hosts listed in an dnsbl called from acp_rcpt, have the
opportunity to send a whole ton of RCPT TO's, each one getting a 5xx.
This takes up lots of resources.
Ah, I see your point; host_reject_connection doesn't allow for dnslist
lookups.

An alternative would be acl_smtp_mail, to operate for MAIL commands.

When I implemented the ACLs, I deliberately implemented what I thought
were the minimum possible number of them, to see how it worked out. Not
providing them for connections and MAIL was intentional. I wanted to
encourage people to reject RCPTs because that's the best way to
discourage clients. Also, that is the point at which you can best
implement exceptions such as "always allow mail to postmaster". If you
reject earlier, you cannot allow these exceptions.

I have put this on the Wish List, but I am still rather wary of
implementing it because it will be easy for people to use
inappropriately.
Post by Dave C.
Perhaps that above would help cut this down. It could have a sanity
delay of 5s or so, just to prevent such a host from repeatedly
connecting too frequently.
The existing ratelimiting on RCPTS could have a similar effect. Does it
use more resources to have one process rejecting RCPTS very, very
slowly, or instead to reject connections (or MAIL) and have the client
keep calling, thus requiring the repeated setup of a new connection and
a new process? I would not be surprised to find the former is "cheaper".

Anybody else have views on this?

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Dave C.
2002-06-18 14:51:16 UTC
Permalink
Post by Philip Hazel
Post by Dave C.
Post by Philip Hazel
... then drops the connection. That's all it can do. True "blocking" has
to happen before the connection gets to Exim, that is, in a router or in
the host's TCP/IP stack, or using TCPWrappers or similar.
Currently, there is no way to do this based on a dnsbl lookup in exim4
(that I can tell).
How hard would it be to add an "acl_smtp_call" ?
Easy enough, but it doesn't really help. The connection still has to be
made and passed to Exim before it could run such an ACL. This is the
same effect as host_reject_connection.
If you made more ACL's, a lot of the individual options like
host_reject_connection could be obsoleted.
Post by Philip Hazel
Post by Dave C.
Currently, hosts listed in an dnsbl called from acp_rcpt, have the
opportunity to send a whole ton of RCPT TO's, each one getting a 5xx.
This takes up lots of resources.
Ah, I see your point; host_reject_connection doesn't allow for dnslist
lookups.
I beleive it currently sends an 4xx code, I'd really like to send a 5xx
code to DNSBL-listed hosts. In fact, it would be nice to have this
facility built right into the deny or require like 'message =' is..
Perhaps 'code ='
Post by Philip Hazel
An alternative would be acl_smtp_mail, to operate for MAIL commands.
When I implemented the ACLs, I deliberately implemented what I thought
were the minimum possible number of them, to see how it worked out. Not
providing them for connections and MAIL was intentional. I wanted to
encourage people to reject RCPTs because that's the best way to
discourage clients. Also, that is the point at which you can best
implement exceptions such as "always allow mail to postmaster". If you
reject earlier, you cannot allow these exceptions.
Is there a 'best' way to discourage clients? I'm not terribly interested
in making exceptions, I dont want spam at postmaster@ any more than at
any other address.

I actually sort of liked the exim3 way, where it would first reject the
data, then the mail, then the rcpts.

Perhaps a way to cache information from the ACL's when a deny is issued,
which can be referenced on a subsequent connection in other ACL's, would
be useful. Other counters/caches would be nice too. For instance,
variables to count the number of commands received, the number of each,
the number accepted, would all be nice to implement in an acl. In fact,
with those, even the ratelimiting could be moved into an ACL, if a
'delay =' was added.
Post by Philip Hazel
I have put this on the Wish List, but I am still rather wary of
implementing it because it will be easy for people to use
inappropriately.
People will always find a way to use features inappropriately (refer to
recent thread where some misguided individual was trying to do routing
in a system filter based on the headers) - Is that a good reason to
limit the flexibility of exim for those that do know what they are
doing?

The ACL's are great, it would be nice to move more of the power and
flexibility into them, removing a lot of hard-coded logic, and even
reducing the need for it in the future.
Post by Philip Hazel
Post by Dave C.
Perhaps that above would help cut this down. It could have a sanity
delay of 5s or so, just to prevent such a host from repeatedly
connecting too frequently.
The existing ratelimiting on RCPTS could have a similar effect. Does it
use more resources to have one process rejecting RCPTS very, very
slowly, or instead to reject connections (or MAIL) and have the client
keep calling, thus requiring the repeated setup of a new connection and
a new process? I would not be surprised to find the former is "cheaper".
Hrm. You do make a good point. Its just annoying to have thousands of
entries in the log from hosts that we are never going to acccept any
mail from. I wonder what the best way to implement a way to have a
trigger for 'if we're not going to accept any mail from thist host,
generate a summary log line instead' (eg, 'rejected 1234 RCPT's from
x.x.x.x')
Post by Philip Hazel
Anybody else have views on this?
--



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-18 15:50:13 UTC
Permalink
Post by Dave C.
If you made more ACL's, a lot of the individual options like
host_reject_connection could be obsoleted.
I don't think there are many, actually, though that is indeed one.
Post by Dave C.
Post by Philip Hazel
Ah, I see your point; host_reject_connection doesn't allow for dnslist
lookups.
I beleive it currently sends an 4xx code, I'd really like to send a 5xx
No, it sends "554 SMTP service not available".
Post by Dave C.
Is there a 'best' way to discourage clients?
Experience in the past was that only 5xx to RCPTs discouraged some
clients. 5xx on connection or after MAIL or after DATA did not. I don't
know if the situation in general has changed recently.
Post by Dave C.
I actually sort of liked the exim3 way, where it would first reject the
data, then the mail, then the rcpts.
Exim 3 developed into that baroque style as we discovered that rejects
after DATA and then after MAIL "didn't work". I threw it all away as
overkill bloat in Exim 4. (Besides, you can now choose between RCPT and
DATA for yourself.)
Post by Dave C.
Perhaps a way to cache information from the ACL's when a deny is issued,
which can be referenced on a subsequent connection in other ACL's, would
be useful.
More complication, more disc use, more interaction between processes,
leading to more contention and maybe bottlenecks. Those are the
arguments against that kind of thing. I'm not saying "never", or that
it's a bad thing, just that it will slow things down.
Post by Dave C.
Other counters/caches would be nice too. For instance,
variables to count the number of commands received, the number of each,
the number accepted, would all be nice to implement in an acl. In fact,
with those, even the ratelimiting could be moved into an ACL, if a
'delay =' was added.
Exim is not designed to keep centralized information, so that its
processes don't have to interact with each other. Bodging something into
the existing design would probably not be very nice, and might well
perform lousily. For something fundamental like this, some entirely new
design is needed. I don't know what that is, but I feel in my bones that
this is in the nature of "big, fundamental, enhancement". I'm not able
to undertake such things just at the moment...
Post by Dave C.
People will always find a way to use features inappropriately
Oh, sure, and one has to take that risk. I did say I was "wary", not
"utterly opposed" :-)
Post by Dave C.
The ACL's are great, it would be nice to move more of the power and
flexibility into them, removing a lot of hard-coded logic, and even
reducing the need for it in the future.
I certainly always intended to review them after some operational
experience had been gained. So far we have almost 4 months. I think it's
worth letting Exim 4 setting a bit longer...
Post by Dave C.
Hrm. You do make a good point. Its just annoying to have thousands of
entries in the log from hosts that we are never going to acccept any
mail from.
If you can identify them, host_reject_connection is your friend. (Maybe
scan your logs for DNS list rejects and create a file of them? Not nice,
but it would work.)

Philip

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Derrick 'dman' Hudson
2002-06-12 20:36:54 UTC
Permalink
--
On Wed, Jun 12, 2002 at 01:05:01PM +1200, Juha Saarinen wrote:
| Dave C. wrote:

| > You can reference such a file from within an ACL.
|
| Yes, unless I misunderstand it, there's no way to refuse SMTP connections to
| specific host IP addresses and/or IP address ranges with ACLs.

Wouldn't this work in the RCPT ACL?

deny hosts = net-lsearch;/etc/exim/deny.host-list

-D

--

If anyone would come after me, he must deny himself and take up his
cross and follow me. For whoever wants to save his life will lose it,
but whoever loses his life for me and for the gospel will save it. What
good is it for a man to gain the whole world, yet forfeit his soul? Or
what can a man give in exchange for his soul?
Mark 8:34-37

Jabber ID : ***@dman.ddts.net
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
--
[ Content of type application/pgp-signature deleted ]
Marc Perkel
2002-06-12 01:05:03 UTC
Permalink
--
[ Picked text/plain from multipart/alternative ]
Here's something I run on my linux server to block IP addresses.

#!/bin/sh
#
# Firewall Rules - This section provides a front end to pre-filter
# traffic coming in.

# The idea is that this can filter hackers from known IP address
# and filter packets before they even atempt to talk to services

# --- Clear the Tables

iptables -v -F INPUT

# --- Filter Hackers

# The file /etc/ipblocked contains a list of IP addresses that are blocked
# on this system. These are IPs of people who have tried to hack us.

if [ -f /etc/ipblocked ]; then
for i in $( cat /etc/ipblocked ); do
iptables -v -A INPUT -s $i -j DROP
done
fi

ipblocked file looks like this:

147.32.109.5
200.61.75.149
217.10.192.19/24
193.85.2.87
Post by Dave C.
Post by Juha Saarinen
As any MTA operator will quickly notice, relay testing by spammers is a
common occurrence. Worse, many of the idiots doing the testing ignore the
"Relay not permitted" and carry on testing, over and over again.
1. Contact the idiots' ISP and tell them they have spammers on their
networks. Worse yet, they have DUMB spammers who are too stupid to
realize their relays are failing.
2. If it continues, get your router admin to put an IP level block in to
prevent all traffic from the relevant IP's..
Post by Juha Saarinen
I'd like to deny SMTP connections to certain hosts and IP blocks, and was
wondering what is the best way of doing it with Exim 4. I can do it quite
easily with an ACL on the router, but would prefer to maintain a file with
host IP address and ranges for the MTA instead.
You can reference such a file from within an ACL.
Post by Juha Saarinen
Thought host_reject_connection would be the way to go, initially, but
the Spec says it's better to reject at a later stage. What's the reasoning
for this?
Some hosts are braindead and will keep trying over and over. Of course,
some will keep trying regardless of where you reject.
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Juha Saarinen
2002-06-12 01:09:02 UTC
Permalink
Post by Marc Perkel
Here's something I run on my linux server to block IP addresses.
#!/bin/sh
#
# Firewall Rules - This section provides a front end to pre-filter
# traffic coming in.
# The idea is that this can filter hackers from known IP address
# and filter packets before they even atempt to talk to services
# --- Clear the Tables
iptables -v -F INPUT
# --- Filter Hackers
# The file /etc/ipblocked contains a list of IP addresses that are
blocked # on this system. These are IPs of people who have tried to
hack us.
if [ -f /etc/ipblocked ]; then
for i in $( cat /etc/ipblocked ); do
iptables -v -A INPUT -s $i -j DROP
done
fi
147.32.109.5
200.61.75.149
217.10.192.19/24
193.85.2.87
Neat. I could run a small IPTables rule on the MTA server, instead of
burdening the router with yet another ACL.

Cheers,

--
Juha


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
James P. Roberts
2002-06-12 07:17:42 UTC
Permalink
Post by Marc Perkel
Here's something I run on my linux server to block IP addresses.
<snip>

I really like the basic idea. Now, is there some way we can
automatically add an IP address to the list to block, but only for a
finite time? Specifically, I would like to block an IP address for a
specified period of time, (say, 5 minutes), if they happen to send me an
html request for, oh, say, "cmd.exe" (reference Code Red virus). I know
that, with a Linux server, the Code Red virus "only" fills up my log
files, but it is also running about 30% of my internet connection
kilobytes! Just to tell the offending site, multiple times, that "file
not found."

I know this is kind of off-topic, and I apologize, but the Exim
community is a very bright bunch, and I think there is a potential for
cross-fertilization of methods... I ask for your opinions.

If we can come up with a clean solution for html requests, I suspect we
can launch the same script (or whatever) from within Exim to block
repeated junk from IP addresses that meet certain criteria, without
having to block said IP forever, since the IP may be re-assigned to a
different user soon anyway (reference DHCP).

Any suggestions of comments?

Jim Roberts
Punster Productions, Inc.



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Peter N Lewis
2002-06-12 08:16:34 UTC
Permalink
I have set up my mailing lists like this:

I have a directory with a file for each list with entries for the
email addresses, and I have a file that has all the addresses and I
allow anyone on any list to post to any list (basically this stops
spam/advertising getting through which is all I really want to do).

My routers look like this:

lists_request:
driver = redirect
local_part_suffix = -request:-subscribe:-unsubscribe:-on:-off:-info
data = listmaster
no_more

lists_post:
driver = redirect
# require_files /Users/exim/exim/lists/$local_part
senders = ${if exists {/Users/exim/exim/lists/$local_part} \
{lsearch;/Users/exim/exim/canpost} \
fail \
}
modemask = 113
file = /Users/exim/exim/lists/$local_part
forbid_pipe
forbid_file
errors_to = $local_part-request
no_more

lists_closed:
driver = redirect
require_files = /Users/exim/exim/lists/$local_part
allow_fail
data = :fail: mail $local_part-request for permission to post to
this mailing list
no_more

If a non-sender posts to the list, I get the log message:

2002-06-12 16:07:39 H=localhost [127.0.0.1]
F=<***@interarchy.com> rejected RCPT <***@zany>: mail
testlist-request for permission to post to this mailing list

But the SMTP server says:

550 unknown user

Why doesn't the fail message make it through to the SMTP server?
Does it only get used for bounce messages?

Thanks,
Peter.

--
<http://www.interarchy.com/> <http://download.interarchy.com/>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-12 10:46:15 UTC
Permalink
Post by Peter N Lewis
driver = redirect
require_files = /Users/exim/exim/lists/$local_part
allow_fail
data = :fail: mail $local_part-request for permission to post to
this mailing list
no_more
2002-06-12 16:07:39 H=localhost [127.0.0.1]
testlist-request for permission to post to this mailing list
550 unknown user
Why doesn't the fail message make it through to the SMTP server?
What is in your ACL?


--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Peter N Lewis
2002-06-12 12:12:37 UTC
Permalink
Post by Philip Hazel
Post by Peter N Lewis
2002-06-12 16:07:39 H=localhost [127.0.0.1]
testlist-request for permission to post to this mailing list
550 unknown user
Why doesn't the fail message make it through to the SMTP server?
What is in your ACL?
Ahh.

That would be:

accept domains = +local_domains
endpass
message = unknown user
verify = recipient

I see, so the message there goes back through the SMTP server even
though the reason it failed was
Post by Philip Hazel
data = :fail: mail $local_part-request for permission to post to
this mailing list
in the router.

So, I guess I would do something like making an ACLE to accept for
the mailing list and that could have the appropriate failure message.

Yep. I added this ACLE before my normal local_domains ACLE:

accept domains = +local_domains
condition = ${if exists
{/Users/exim/exim/lists/$local_part} \
{yes} \
{no} \
}
endpass
message = mail $local_part-request for permission to
post to this mailing list
verify = recipient

I tried using the require_files = /Users/exim/exim/lists/$local_part,
but that doesn't seem to be supported for ACLs, so I used the
condition instead.

Thanks,
Peter.

--
<http://www.interarchy.com/> <http://download.interarchy.com/>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-12 13:10:28 UTC
Permalink
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
I see, so the message there goes back through the SMTP server even
though the reason it failed was
Post by Peter N Lewis
data = :fail: mail $local_part-request for permission to post to
this mailing list
in the router.
Yes. You overrode the other message by setting "message =". If you
remove that, you should see the other message.
So, I guess I would do something like making an ACLE to accept for
the mailing list and that could have the appropriate failure message.
That's another way to do it.

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Joachim Wieland
2002-06-12 18:13:37 UTC
Permalink
Hi,
Post by Philip Hazel
Yes. You overrode the other message by setting "message =". If you
remove that, you should see the other message.
I have the same problem as Peter, I have a few routers that catch
correct recipient information and decline for all others. At the end,
when all routers declined, I get the message "unrouteable address". So I
thought, let's make a redirect router that has set ":fail: no such
user" (if the domain is in local_domains or relay_domains).

I'd like to ask if it would be possible to switch priorities so that a
:fail: message makes it to the client side for the following reasons:

- exim -bt shows the :fail: message
- the log shows the :fail: message
- it is easier to catch such cases in a redirect router than to put
everything in ACLs which would only make them complex and illegible


Here is the -bt output and below a exim -bh output. Only the client side
receives "unrouteable address", the logfile gets the :fail: message.

carlo:~ # exim -oMr vircheck -bt ***@test.de
***@test.de is undeliverable:
unknown user
Post by Philip Hazel
calling userbounce router
userbounce router forced address failure
----------- end verify ------------
accept: condition test failed
accept: endpass encountered - denying access
550 unrouteable address
LOG: H=localhost [127.0.0.1] F=<***@mcknight.de> rejected RCPT
***@test.de: unknown user


This is my userbounce router:

userbounce:
driver = redirect
domains = +local_domains:+relay_to_domains
check_local_user = false
verify = true
check_ancestor
allow_fail
data = :fail: unknown user


Regards,
Joachim

--
*****PGP key available - send e-mail request***** - ICQ: 37225940
You may be gone tomorrow, but that doesn't mean that you weren't here today.

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-13 10:08:17 UTC
Permalink
Post by Joachim Wieland
I'd like to ask if it would be possible to switch priorities so that a
The :fail: message _does_ make it to the client side, as long as you
don't override it in the ACL.

I'm trying to please everyone here; there are some admins that don't
want detailed messages sent out to clients. So I implemented a means to
suppress them. Just suppress the suppression. :-)

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Joachim Wieland
2002-06-13 23:59:07 UTC
Permalink
Hi Philip,
Post by Philip Hazel
I'm trying to please everyone here; there are some admins that don't
want detailed messages sent out to clients. So I implemented a means to
suppress them. Just suppress the suppression. :-)
Okay, you might be right and you probably have your reasons. Yet I think
it is a little inconsistent that the message of exim -bt and the log
message differ from the one the client sees.

If I see "rejected RCPT ***@domain.com: unknown user" in the logfile I
suspect that the client also received a "unknown user" message so I
asked to think about the suppression of the suppression ;-)

Anyway, I'm content if you know about it and if you think that it is
okay the way it is :-)


Joachim

--
*****PGP key available - send e-mail request***** - ICQ: 37225940
If dolphins are so smart, why did Flipper work for television?

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2002-06-14 09:10:06 UTC
Permalink
Post by Joachim Wieland
suspect that the client also received a "unknown user" message
The point is that some people want to have detailed information in the
log file, but just send a bland "rejected" message to the client.

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Marc Perkel
2002-06-12 14:17:20 UTC
Permalink
--
[ Picked text/plain from multipart/alternative ]
I had a tempory/dirty solution when I used NT.

When you set up you IP addresses under "Advanced" what you add
additional IP's other than your main one - add the IP you want to block
as if it were an IP on your computer. Since your computer thinks it owns
the offending IP it can't talk to it externally - and therefore it is
effectively blocked.

It's dirty - but it does work.
Post by James P. Roberts
Post by Marc Perkel
Here's something I run on my linux server to block IP addresses.
<snip>
I really like the basic idea. Now, is there some way we can
automatically add an IP address to the list to block, but only for a
finite time? Specifically, I would like to block an IP address for a
specified period of time, (say, 5 minutes), if they happen to send me an
html request for, oh, say, "cmd.exe" (reference Code Red virus). I know
that, with a Linux server, the Code Red virus "only" fills up my log
files, but it is also running about 30% of my internet connection
kilobytes! Just to tell the offending site, multiple times, that "file
not found."
I know this is kind of off-topic, and I apologize, but the Exim
community is a very bright bunch, and I think there is a potential for
cross-fertilization of methods... I ask for your opinions.
If we can come up with a clean solution for html requests, I suspect we
can launch the same script (or whatever) from within Exim to block
repeated junk from IP addresses that meet certain criteria, without
having to block said IP forever, since the IP may be re-assigned to a
different user soon anyway (reference DHCP).
Any suggestions of comments?
Jim Roberts
Punster Productions, Inc.
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
volker augustin
2002-06-12 01:47:39 UTC
Permalink
hi,
i need help with useing RBLs and exim 4, i want to stop relaying .....
i put
hostlist relay_from_hosts = ! ${lookup pgsql{SELECT host FROM
host_blacklist where aktiv=1 group by host}{$value}fail}
acl_smtp_rcpt = acl_check_rcpt
hmmm this sql-lookup works fine, i see it in the debug-output....
in the mainsection
and
message = invalid characters in local part
accept local_parts = postmaster
domains = +local_domains
require verify = sender
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable adress
verify = recipient
You dont want this one This will prevent bounce messages from being
delivered.
huh? did i missunderstand bou
deny dnslists = blackholes.mail-abuse.org
message = rbltest
but how can i test if a host is blacklisted and this acl is working?
accept hosts = +relay_from_hosts
verify = sender
accept authenticated = *
deny message = relay not permitted
in the acl-section of exim, but i dont know if it works.... spammers
still relaying, my server is also listed now :(( how can i stop
spamming? i thought acl and rbl was the right way, but it doesnt work
for me....please please please help!
...and senders with an empty from-field <> are also relayed :(( how can
i stop this?
An empty envelope sender is an indication of a bounce. You do NOT want
to reject messages on that criteria.
hmmmm, but spam is send by this way? or isnt it? in a previous message i posted some of this spam, what i see
was:

some messageid... <== <>

and then it was relayed to so many addresses.......
i read so many howtos, docs and manpages, but im very confused now,
Start over with a simpler ACL.
Get rid of your MYSQL stuff, and see if it works without that. (Eg, just
list your IP networks directly in the ACL. Be sure to only list YOUR IP
networks, that you own/control.
ok, thats working now.
Be sure to HUP (or restart) the exim daemon after making changes to your
config file, so that it will see the changes.
done
If that works, then your MYSQL query is probably hosed and you can start
debugging there..
.....
volker
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--
--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Matthew Byng-Maddick
2002-06-12 19:22:25 UTC
Permalink
Post by Juha Saarinen
I'd like to deny SMTP connections to certain hosts and IP blocks, and was
wondering what is the best way of doing it with Exim 4. I can do it quite
easily with an ACL on the router, but would prefer to maintain a file with
host IP address and ranges for the MTA instead.
It occurs to me after reading this discussion that in fact rejecting the
connection before it gets to the SMTP listener isn't necessarily a good
idea, as this is a temporary error, and you'll still have to pay for the
bandwidth that they're wasting, because it's getting to your border. If
you answer every command with a 5xx error, and report them to their ISP,
that is likely to work better.

MBM

--
Matthew Byng-Maddick <***@colondot.net> http://colondot.net/

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Dave C.
2002-06-12 20:32:36 UTC
Permalink
Post by Matthew Byng-Maddick
Post by Juha Saarinen
I'd like to deny SMTP connections to certain hosts and IP blocks, and was
wondering what is the best way of doing it with Exim 4. I can do it quite
easily with an ACL on the router, but would prefer to maintain a file with
host IP address and ranges for the MTA instead.
It occurs to me after reading this discussion that in fact rejecting the
connection before it gets to the SMTP listener isn't necessarily a good
idea, as this is a temporary error, and you'll still have to pay for the
bandwidth that they're wasting, because it's getting to your border. If
you answer every command with a 5xx error, and report them to their ISP,
that is likely to work better.
The bandwidth to send an RST packet in response to a SYN packet is
fairly trivial. Unless they try to connect continuously, its not likely
to make much of an impact on your bandwidth usage. In fact, its WAY less
than the amount used by even accepting the connection and sending a
5xx..
Post by Matthew Byng-Maddick
MBM
--
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Loading...