Bug#591678: greylistd-setup-exim4 causes excessive callouts and cause the server to be blacklisted

Sun, 15 Aug 2010 07:33:18 -0700 

On Wed, Aug 04, 2010 at 01:00:19PM -0400, ylsdd wrote:
> The 'greylistd-setup-exim4' script added a section 'deny' to 
> /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.
> 
>  # Deny if blacklisted by greylist
>  deny
>    message = $sender_host_address is blacklisted from delivering \\
>                      mail from <$sender_address> to <$local_p...@$domain>.
>    log_message = blacklisted.
>    !senders        = :
>    !authenticated = *
>    verify         = recipient/callout=20s,use_sender,defer_ok
>    condition      = ${readsocket{/var/run/greylistd/socket}\\
>                                  {--black \\
>                                   $sender_host_address \\
>                                   $sender_address \\
>                                   $local_p...@$domain}\\
>                                  {5s}{}{false}}
> 
> In this added section, recipient/callouts are performed without verifying 
> recipient's hostname. Thus, when spammers send to the hosting server emails 
> with 
> recipient refering to other domains that are not relayed, excessive and wrong 
> recipient callouts will be performed. The final results then include
> 
> 1, high server load due to excessive callouts
> 2, potential DDOS attack to other domains
> 3, the hosting server being blocked because of sending callouts to spam-trap 
> addresses
> 4, complain from ISP and termination of service
> 
> A simple fix should be removing the recipient/callout verification in this 
> 'deny' section, since there is NO POINT TO NOT DENY if 
> recipient/callout would fail.

I agree, but I have a couple of comments:

- did you consider removing the recipient callout verification in the
  defer rule too? My reading of the config is that you'd need to remove
  that too to have the desired effect, but your patch doesn't include it
- I disagree with the security tag, and the severity, since I've had this
  configuration running for quite some time and haven't experienced the
  problems you describe (possibly because my antispam measures vary in
  other ways). Therefore the problem demonstrably does not make the
  package unusable.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to