X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/c1709c7f1a3c8dbc55ea5e2501e4433b5fea05a6..fe8f2338460a4c038aec0b55a69b2421622159cc:/base.m4

diff --git a/base.m4 b/base.m4
index 9182a7c..e779a1a 100644
--- a/base.m4
+++ b/base.m4
@@ -98,8 +98,23 @@ SECTION(global, acl)m4_dnl
 acl_smtp_helo = helo
 SECTION(acl, misc)m4_dnl
 helo:
-	require	 message = The other one has bells on
-		 verify = helo
+	## Check that the caller's claimed identity is actually plausible.
+	## This seems like it's a fairly effective filter on spamminess, but
+	## it's too blunt a tool.  Rather than reject, add a warning header.
+	## Only we can't do this the easy way, so save it up for use in MAIL.
+	## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
+	## and we should only care about the most recent one.
+	warn	 set acl_c_helo_warning = false
+		!condition = \
+			${if exists {CONF_sysconf_dir/helo.conf} \
+			     {${lookup {$sender_helo_name} \
+				       partial0-lsearch \
+				       {CONF_sysconf_dir/helo.conf} \
+				       {${if match_ip \
+					     {$sender_host_address} \
+					     {$value}}}}}}
+		!verify = helo
+		 set acl_c_helo_warning = true
 
 	accept
 
@@ -108,6 +123,15 @@ acl_smtp_mail = mail
 SECTION(acl, mail)m4_dnl
 mail:
 
+	## If we stashed a warning header about HELO from earlier, we should
+	## add it now.
+	warn	 condition = $acl_c_helo_warning
+		 add_header = :after_received:X-Distorted-Warning: \
+			BADHELO \
+			Client's HELO doesn't match its IP address.\n\t\
+			HELO name = $sender_helo_name, \
+			address = $sender_host_address
+
 	## Always allow the empty sender, so that we can receive bounces.
 	accept	 senders = :