[MediaWiki-commits] [Gerrit] operations/puppet[production]: WIP: Add acl to warn on forged HELO messages on lists.wikime...

Wed, 16 Aug 2017 12:11:26 -0700 

Herron has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/372174 )

Change subject: WIP: Add acl to warn on forged HELO messages on 
lists.wikimedia.org
......................................................................

WIP: Add acl to warn on forged HELO messages on lists.wikimedia.org

For testing/prep purposes log a warning if remote side is not in allowed list
and sends HELO claming to be a domain, hostname or IP that belongs to us.

Change from warn to delay & drop after testing.

Bug: T173338
Change-Id: I8b9fd41177cc681aa64228f96a83257ef0781ffe
---
M modules/profile/templates/exim/exim4.conf.mailman.erb
1 file changed, 19 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/74/372174/1

diff --git a/modules/profile/templates/exim/exim4.conf.mailman.erb 
b/modules/profile/templates/exim/exim4.conf.mailman.erb
index e5b52da..ca3c1ec 100644
--- a/modules/profile/templates/exim/exim4.conf.mailman.erb
+++ b/modules/profile/templates/exim/exim4.conf.mailman.erb
@@ -32,6 +32,7 @@
 
 # Policy control
 acl_smtp_connect = acl_check_connect
+acl_smtp_helo = acl_check_helo
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
 
@@ -130,6 +131,24 @@
 acl_check_connect:
        accept
 
+acl_check_helo:
+
+       # warn if remote tries to send HELO < a local domain > (change from 
warn to delay & drop after testing)
+       warn message = HELO failure ref1
+               condition   = ${if 
match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
+               !hosts      = +wikimedia_nets : +relay_from_hosts
+               log_message = HELO failure ref1 (Remote said: HELO 
$sender_helo_name which matches a domain listed in local_domains)
+               #delay       = 45s
+
+       # warn if remote tries to send HELO < my primary hostname > (change 
from warn to delay & drop after testing)
+       warn message = HELO failure ref2
+               condition   = ${if match{$sender_helo_name}{$primary_hostname}}
+               !hosts      = +wikimedia_nets : +relay_from_hosts
+               log_message = HELO failure ref2 (Remote said: HELO 
$sender_helo_name which equals my primary_hostname of $primary_hostname)
+               #delay       = 45s
+
+       accept
+
 acl_check_data:
        # Let's trust local senders to not send out spam
        accept hosts = +wikimedia_nets

-- 
To view, visit https://gerrit.wikimedia.org/r/372174
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I8b9fd41177cc681aa64228f96a83257ef0781ffe
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Herron <kher...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to