[Mimedefang] filter_helo called after mail from?

Thu Nov 9 14:53:14 EST 2006

Jonas Eckerman <jonas_lists at frukt.org>:

>> We do our HELO checks in filter_relay,
> 
> How do you do that?
> 
> I thought that neither the $Helo variable nor the commands file (from 
> wich the helo string can be read) was available that early in the
> mimedefang process.

It comes in as a parameter in filter_relay.  Pseudo-code (my real code
has lots of calls to site-specific logging etc.):

[...]
# 2002/11/25 Anne Bennett: our machines:
$re_localhost    = '127\.0\.0\.1';
$re_our_networks = '132\.205\.\d+\.\d+';
$re_our_domains  = '(?:([\w\-\.]+\.)?(concordia\.ca|concordia\.montreal\.qc\.ca|myconcordia\.ca))';
[...]

sub filter_relay($$$)
{ 
  my ( $relayip, $relayname, $helo ) = @_;

  [...]

  # 2003/09/04 Anne Bennett: strip square brackets from helo string if any:
  $stripped_helo =  $helo;
  $stripped_helo =~ s/^\[+//;
  $stripped_helo =~ s/\]+$//;

  # Reject any (external) HELO/EHLO that pretend to be one of ours.
  # 2002/11/25 Anne Bennett: log only.
  # 2003/06/23 Sylvain Robitaille: in production with rejection.
  if ( ( $relayip !~ /^($re_our_networks|$re_localhost)$/ ) &&
       ( $stripped_helo =~ /^($re_our_domains)$/i         )     )
  {
    [reject with:]
    ...  "IP $relayip faked HELO/EHLO with our name '$helo'";
  }

  # 2003/05/05 Sylvain Robitaille: Also check for obviously forged
  #   external numeric HELO/EHLO strings (numeric string does not match
  #   relay's IP address).
  # 2003/06/13 Sylvain Robitaille: In practice the faked numeric HELO
  #   strings can trigger too many false positives, given that many
  #   sending sites may use NAT or double-homed hosts.
  # 2003/09/04 Anne Bennett: however no one should be faking as
  #   one of our networks.
  if ( ( $relayip !~ /^($re_our_networks|$re_localhost)$/ )     &&
       ( $stripped_helo =~ /^\d+\.\d+\.\d+\.\d+$/ )             &&
       ( $stripped_helo =~ /^$re_our_networks|$re_localhost$/ )   )
  {
    [just testing, hey, I forgot to check this and put it into production!]
    [hmph, doesn't seem to catch anything]
    ... "IP $relayip faked numeric HELO/EHLO with our IP '$helo'";
  }

...
}

Note: the code above actually hasn't caught much lately.  I think it did
help when we first put it in, though.

Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285