From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 3 Feb 2014 15:35:04 +0000 (+0000)
Subject: base.m4: More subtle handling of HELO greetings.
X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/commitdiff_plain/fe8f2338460a4c038aec0b55a69b2421622159cc

base.m4: More subtle handling of HELO greetings.

Rather than rejecting incorrect HELO greetings, we make two adjustments:

  * There's now an auxiliary list, `helo.conf', of manually provided
    exceptions, for well-known and basically honest hosts which are just
    misconfigured.

  * A failure to provide a correct HELO greeting now results in a
    BADHELO warning header rather than an immediate rejection.
    SpamAssassin has been configured to notice these headers and assign
    points for them, because they do seem to be a good indicator of
    spamminess.
---

diff --git a/base.m4 b/base.m4
index 9182a7c..e779a1a 100644
--- a/base.m4
+++ b/base.m4
@@ -98,8 +98,23 @@ SECTION(global, acl)m4_dnl
 acl_smtp_helo = helo
 SECTION(acl, misc)m4_dnl
 helo:
-	require	 message = The other one has bells on
-		 verify = helo
+	## Check that the caller's claimed identity is actually plausible.
+	## This seems like it's a fairly effective filter on spamminess, but
+	## it's too blunt a tool.  Rather than reject, add a warning header.
+	## Only we can't do this the easy way, so save it up for use in MAIL.
+	## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
+	## and we should only care about the most recent one.
+	warn	 set acl_c_helo_warning = false
+		!condition = \
+			${if exists {CONF_sysconf_dir/helo.conf} \
+			     {${lookup {$sender_helo_name} \
+				       partial0-lsearch \
+				       {CONF_sysconf_dir/helo.conf} \
+				       {${if match_ip \
+					     {$sender_host_address} \
+					     {$value}}}}}}
+		!verify = helo
+		 set acl_c_helo_warning = true
 
 	accept
 
@@ -108,6 +123,15 @@ acl_smtp_mail = mail
 SECTION(acl, mail)m4_dnl
 mail:
 
+	## If we stashed a warning header about HELO from earlier, we should
+	## add it now.
+	warn	 condition = $acl_c_helo_warning
+		 add_header = :after_received:X-Distorted-Warning: \
+			BADHELO \
+			Client's HELO doesn't match its IP address.\n\t\
+			HELO name = $sender_helo_name, \
+			address = $sender_host_address
+
 	## Always allow the empty sender, so that we can receive bounces.
 	accept	 senders = :