Bug#287581: splitting ACLs
On Wed, Jul 26, 2006 at 03:59:14PM +0200, Robert Millan wrote: > On Wed, Jul 26, 2006 at 03:56:20PM +0200, Marc Haber wrote: > > Actually, it might be appropriate to move the "helo given?" check to > > the RCPT ACL as well. > > Do any of these "broken, but widely used MTAs" skip helo? No, they don't. So they never see that particular error message. You have a point here. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287581: splitting ACLs
On Wed, Jul 26, 2006 at 03:56:20PM +0200, Marc Haber wrote: > On Thu, Jul 20, 2006 at 08:48:53AM +0200, Robert Millan wrote: > > Btw, wrt splitting ACL files, note that #378935 adds a new one > > (25_exim4-config_check_mail). I think some of the rules currently in > > 30_exim4-config_check_rcpt could be moved into this one, with the added > > advantage that they would be performed earlier, saving time and bandwidth. > > > > Some of them could even be moved to acl_smtp_helo, like local or remote > > IP-based > > blacklists. > > Some broken, but widely used MTAs get quite psychotic when you reject > at HELO or MAIL time. This is the reason why we usually reject at RCPT > time. This is also consistent with upstream. Ok. > Actually, it might be appropriate to move the "helo given?" check to > the RCPT ACL as well. Do any of these "broken, but widely used MTAs" skip helo? So far the only messages I've seen that skip helo are sent by spamware. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287581: splitting ACLs
On Thu, Jul 20, 2006 at 08:48:53AM +0200, Robert Millan wrote: > Btw, wrt splitting ACL files, note that #378935 adds a new one > (25_exim4-config_check_mail). I think some of the rules currently in > 30_exim4-config_check_rcpt could be moved into this one, with the added > advantage that they would be performed earlier, saving time and bandwidth. > > Some of them could even be moved to acl_smtp_helo, like local or remote > IP-based > blacklists. Some broken, but widely used MTAs get quite psychotic when you reject at HELO or MAIL time. This is the reason why we usually reject at RCPT time. This is also consistent with upstream. Actually, it might be appropriate to move the "helo given?" check to the RCPT ACL as well. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#378935: Bug#287581: splitting ACLs
tags 378935 pending thanks On Fri, Jul 21, 2006 at 08:31:29PM +0200, Andreas Metzler wrote: > > Ok. This is #378935 (I sent a patch before). May I check it in? > > It is ok with me, and can easily backed out again if Marc disagrees > (and he has the final say on exim nowadays), so go ahead. Ok, done. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#378935: Bug#287581: splitting ACLs
On 2006-07-21 Robert Millan <[EMAIL PROTECTED]> wrote: [check for HELO] > Ok. This is #378935 (I sent a patch before). May I check it in? It is ok with me, and can easily backed out again if Marc disagrees (and he has the final say on exim nowadays), so go ahead. thanks, cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken.(c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#378935: Bug#287581: splitting ACLs
On Fri, Jul 21, 2006 at 07:04:37PM +0200, Andreas Metzler wrote: > On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote: > > On Thu, Jul 20, 2006 at 07:58:32PM +0200, Andreas Metzler wrote: > [reject after mail from: instead of rcpt to:] > >> iirc (sorry no referrences) some MTAs will react strangely to rejects > >> after MAIL FROM: (instead of RCPT), like marking the whole host as > >> unavailable instead of just the sender. Which is the reason most > >> checks are done after RCPT. > > > Ah.. how odd :) > > > Do you think it's still fine to check for HELO/EHLO in MAIL, though? > [...] > I think so. Ok. This is #378935 (I sent a patch before). May I check it in? -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287581: splitting ACLs
On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote: > On Thu, Jul 20, 2006 at 07:58:32PM +0200, Andreas Metzler wrote: [reject after mail from: instead of rcpt to:] >> iirc (sorry no referrences) some MTAs will react strangely to rejects >> after MAIL FROM: (instead of RCPT), like marking the whole host as >> unavailable instead of just the sender. Which is the reason most >> checks are done after RCPT. > Ah.. how odd :) > Do you think it's still fine to check for HELO/EHLO in MAIL, though? [...] I think so. cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken.(c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287581: splitting ACLs
On Thu, Jul 20, 2006 at 07:58:32PM +0200, Andreas Metzler wrote: > On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote: > > Btw, wrt splitting ACL files, note that #378935 adds a new one > > (25_exim4-config_check_mail). I think some of the rules currently in > > 30_exim4-config_check_rcpt could be moved into this one, with the added > > advantage that they would be performed earlier, saving time and bandwidth. > > > Some of them could even be moved to acl_smtp_helo, like local or > > remote IP-based blacklists. > > > I can send a patch for either of that, if you like. > > Hello, > iirc (sorry no referrences) some MTAs will react strangely to rejects > after MAIL FROM: (instead of RCPT), like marking the whole host as > unavailable instead of just the sender. Which is the reason most > checks are done after RCPT. > cu andreas Ah.. how odd :) Do you think it's still fine to check for HELO/EHLO in MAIL, though? I recall seeing this kind of check from years ago, in my early internet days. I wouldn't be surprised if most MTAs do it by default. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287581: splitting ACLs
On 2006-07-20 Robert Millan <[EMAIL PROTECTED]> wrote: > Btw, wrt splitting ACL files, note that #378935 adds a new one > (25_exim4-config_check_mail). I think some of the rules currently in > 30_exim4-config_check_rcpt could be moved into this one, with the added > advantage that they would be performed earlier, saving time and bandwidth. > Some of them could even be moved to acl_smtp_helo, like local or > remote IP-based blacklists. > I can send a patch for either of that, if you like. Hello, iirc (sorry no referrences) some MTAs will react strangely to rejects after MAIL FROM: (instead of RCPT), like marking the whole host as unavailable instead of just the sender. Which is the reason most checks are done after RCPT. cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken.(c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#287581: splitting ACLs
Btw, wrt splitting ACL files, note that #378935 adds a new one (25_exim4-config_check_mail). I think some of the rules currently in 30_exim4-config_check_rcpt could be moved into this one, with the added advantage that they would be performed earlier, saving time and bandwidth. Some of them could even be moved to acl_smtp_helo, like local or remote IP-based blacklists. I can send a patch for either of that, if you like. -- Robert Millan My spam trap is [EMAIL PROTECTED] Note: this address is only intended for spam harvesters. Writing to it will get you added to my black list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
