[Mimedefang] filter_helo called after mail from?
Anne Bennett
anne at encs.concordia.ca
Thu Nov 9 14:53:14 EST 2006
Jonas Eckerman <jonas_lists at frukt.org>:
>> We do our HELO checks in filter_relay,
>
> How do you do that?
>
> I thought that neither the $Helo variable nor the commands file (from
> wich the helo string can be read) was available that early in the
> mimedefang process.
It comes in as a parameter in filter_relay. Pseudo-code (my real code
has lots of calls to site-specific logging etc.):
[...]
# 2002/11/25 Anne Bennett: our machines:
$re_localhost = '127\.0\.0\.1';
$re_our_networks = '132\.205\.\d+\.\d+';
$re_our_domains = '(?:([\w\-\.]+\.)?(concordia\.ca|concordia\.montreal\.qc\.ca|myconcordia\.ca))';
[...]
sub filter_relay($$$)
{
my ( $relayip, $relayname, $helo ) = @_;
[...]
# 2003/09/04 Anne Bennett: strip square brackets from helo string if any:
$stripped_helo = $helo;
$stripped_helo =~ s/^\[+//;
$stripped_helo =~ s/\]+$//;
# Reject any (external) HELO/EHLO that pretend to be one of ours.
# 2002/11/25 Anne Bennett: log only.
# 2003/06/23 Sylvain Robitaille: in production with rejection.
if ( ( $relayip !~ /^($re_our_networks|$re_localhost)$/ ) &&
( $stripped_helo =~ /^($re_our_domains)$/i ) )
{
[reject with:]
... "IP $relayip faked HELO/EHLO with our name '$helo'";
}
# 2003/05/05 Sylvain Robitaille: Also check for obviously forged
# external numeric HELO/EHLO strings (numeric string does not match
# relay's IP address).
# 2003/06/13 Sylvain Robitaille: In practice the faked numeric HELO
# strings can trigger too many false positives, given that many
# sending sites may use NAT or double-homed hosts.
# 2003/09/04 Anne Bennett: however no one should be faking as
# one of our networks.
if ( ( $relayip !~ /^($re_our_networks|$re_localhost)$/ ) &&
( $stripped_helo =~ /^\d+\.\d+\.\d+\.\d+$/ ) &&
( $stripped_helo =~ /^$re_our_networks|$re_localhost$/ ) )
{
[just testing, hey, I forgot to check this and put it into production!]
[hmph, doesn't seem to catch anything]
... "IP $relayip faked numeric HELO/EHLO with our IP '$helo'";
}
...
}
Note: the code above actually hasn't caught much lately. I think it did
help when we first put it in, though.
Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
More information about the MIMEDefang
mailing list