Bug#287581: splitting ACLs

2006-07-26 Thread Marc Haber
On Wed, Jul 26, 2006 at 03:59:14PM +0200, Robert Millan wrote:
> On Wed, Jul 26, 2006 at 03:56:20PM +0200, Marc Haber wrote:
> > Actually, it might be appropriate to move the "helo given?" check to
> > the RCPT ACL as well.
> 
> Do any of these "broken, but widely used MTAs" skip helo?

No, they don't. So they never see that particular error message. You
have a point here.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#287581: splitting ACLs

2006-07-26 Thread Robert Millan
On Wed, Jul 26, 2006 at 03:56:20PM +0200, Marc Haber wrote:
> On Thu, Jul 20, 2006 at 08:48:53AM +0200, Robert Millan wrote:
> > Btw, wrt splitting ACL files, note that #378935 adds a new one
> > (25_exim4-config_check_mail).  I think some of the rules currently in
> > 30_exim4-config_check_rcpt could be moved into this one, with the added
> > advantage that they would be performed earlier, saving time and bandwidth.
> > 
> > Some of them could even be moved to acl_smtp_helo, like local or remote 
> > IP-based
> > blacklists.
> 
> Some broken, but widely used MTAs get quite psychotic when you reject
> at HELO or MAIL time. This is the reason why we usually reject at RCPT
> time. This is also consistent with upstream.

Ok.

> Actually, it might be appropriate to move the "helo given?" check to
> the RCPT ACL as well.

Do any of these "broken, but widely used MTAs" skip helo?  So far the only
messages I've seen that skip helo are sent by spamware.

-- 
Robert Millan

My spam trap is [EMAIL PROTECTED]  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#287581: splitting ACLs

2006-07-26 Thread Marc Haber
On Thu, Jul 20, 2006 at 08:48:53AM +0200, Robert Millan wrote:
> Btw, wrt splitting ACL files, note that #378935 adds a new one
> (25_exim4-config_check_mail).  I think some of the rules currently in
> 30_exim4-config_check_rcpt could be moved into this one, with the added
> advantage that they would be performed earlier, saving time and bandwidth.
> 
> Some of them could even be moved to acl_smtp_helo, like local or remote 
> IP-based
> blacklists.

Some broken, but widely used MTAs get quite psychotic when you reject
at HELO or MAIL time. This is the reason why we usually reject at RCPT
time. This is also consistent with upstream.

Actually, it might be appropriate to move the "helo given?" check to
the RCPT ACL as well.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#378935: Bug#287581: splitting ACLs

2006-07-21 Thread Robert Millan
tags 378935 pending
thanks

On Fri, Jul 21, 2006 at 08:31:29PM +0200, Andreas Metzler wrote:
> > Ok.  This is #378935 (I sent a patch before).  May I check it in?
> 
> It is ok with me, and can easily backed out again if Marc disagrees
> (and he has the final say on exim nowadays), so go ahead.

Ok, done.

-- 
Robert Millan

My spam trap is [EMAIL PROTECTED]  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#378935: Bug#287581: splitting ACLs

2006-07-21 Thread Andreas Metzler
On 2006-07-21 Robert Millan <[EMAIL PROTECTED]> wrote:
[check for HELO]
> Ok.  This is #378935 (I sent a patch before).  May I check it in?

It is ok with me, and can easily backed out again if Marc disagrees
(and he has the final say on exim nowadays), so go ahead.
thanks, cu andreas
-- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.(c) Jasper Ffforde


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#378935: Bug#287581: splitting ACLs

2006-07-21 Thread Robert Millan
On Fri, Jul 21, 2006 at 07:04:37PM +0200, Andreas Metzler wrote:
> On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote:
> > On Thu, Jul 20, 2006 at 07:58:32PM +0200, Andreas Metzler wrote:
> [reject after mail from: instead of rcpt to:]
> >> iirc (sorry no referrences) some MTAs will react strangely to rejects
> >> after MAIL FROM: (instead of RCPT), like marking the whole host as
> >> unavailable instead of just the sender. Which is the reason most
> >> checks are done after RCPT.
> 
> > Ah.. how odd :)
> 
> > Do you think it's still fine to check for HELO/EHLO in MAIL, though?
> [...]
> I think so.

Ok.  This is #378935 (I sent a patch before).  May I check it in?

-- 
Robert Millan

My spam trap is [EMAIL PROTECTED]  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#287581: splitting ACLs

2006-07-21 Thread Andreas Metzler
On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote:
> On Thu, Jul 20, 2006 at 07:58:32PM +0200, Andreas Metzler wrote:
[reject after mail from: instead of rcpt to:]
>> iirc (sorry no referrences) some MTAs will react strangely to rejects
>> after MAIL FROM: (instead of RCPT), like marking the whole host as
>> unavailable instead of just the sender. Which is the reason most
>> checks are done after RCPT.

> Ah.. how odd :)

> Do you think it's still fine to check for HELO/EHLO in MAIL, though?
[...]
I think so.
cu andreas
-- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.(c) Jasper Ffforde


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#287581: splitting ACLs

2006-07-20 Thread Robert Millan
On Thu, Jul 20, 2006 at 07:58:32PM +0200, Andreas Metzler wrote:
> On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote:
> > Btw, wrt splitting ACL files, note that #378935 adds a new one
> > (25_exim4-config_check_mail).  I think some of the rules currently in
> > 30_exim4-config_check_rcpt could be moved into this one, with the added
> > advantage that they would be performed earlier, saving time and bandwidth.
> 
> > Some of them could even be moved to acl_smtp_helo, like local or
> > remote IP-based blacklists.
> 
> > I can send a patch for either of that, if you like.
> 
> Hello,
> iirc (sorry no referrences) some MTAs will react strangely to rejects
> after MAIL FROM: (instead of RCPT), like marking the whole host as
> unavailable instead of just the sender. Which is the reason most
> checks are done after RCPT.
> cu andreas

Ah.. how odd :)

Do you think it's still fine to check for HELO/EHLO in MAIL, though?  I recall
seeing this kind of check from years ago, in my early internet days.  I
wouldn't be surprised if most MTAs do it by default.

-- 
Robert Millan

My spam trap is [EMAIL PROTECTED]  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#287581: splitting ACLs

2006-07-20 Thread Andreas Metzler
On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote:
> Btw, wrt splitting ACL files, note that #378935 adds a new one
> (25_exim4-config_check_mail).  I think some of the rules currently in
> 30_exim4-config_check_rcpt could be moved into this one, with the added
> advantage that they would be performed earlier, saving time and bandwidth.

> Some of them could even be moved to acl_smtp_helo, like local or
> remote IP-based blacklists.

> I can send a patch for either of that, if you like.

Hello,
iirc (sorry no referrences) some MTAs will react strangely to rejects
after MAIL FROM: (instead of RCPT), like marking the whole host as
unavailable instead of just the sender. Which is the reason most
checks are done after RCPT.
cu andreas
-- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.(c) Jasper Ffforde


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Bug#287581: splitting ACLs

2006-07-20 Thread Robert Millan

Btw, wrt splitting ACL files, note that #378935 adds a new one
(25_exim4-config_check_mail).  I think some of the rules currently in
30_exim4-config_check_rcpt could be moved into this one, with the added
advantage that they would be performed earlier, saving time and bandwidth.

Some of them could even be moved to acl_smtp_helo, like local or remote IP-based
blacklists.

I can send a patch for either of that, if you like.

-- 
Robert Millan

My spam trap is [EMAIL PROTECTED]  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]