Bug#378935: accepts mail without HELO/EHLO

Robert Millan rmh at aybabtu.com
Wed Jul 19 19:34:32 UTC 2006 

Package: exim4-config
Version: 4.62-2
Severity: normal
Tags: patch

Exim currently accepts mail from clients that didn't issue HELO/EHLO in its
default configuration.  Given that:

 - Issuing HELO/EHLO is mandated by the RFCs.
 - The only known clients that send mail in such broken manner are spam bulk
   mailers (TTBOMK).
 - Skipping HELO might break custom checks that rely on HELO's argument, such as
   SPF.

I think it's not a big loss if exim rejects these in the MAIL ACL :)

Patch attached.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-1-amd64-k8
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)

Versions of packages exim4-config depends on:
ii  adduser                       3.87       Add and remove users and groups
ii  debconf [debconf-2.0]         1.5.2      Debian configuration management sy

exim4-config recommends no packages.

-- debconf information excluded
-------------- next part --------------
diff -Nur exim4-4.62.old/debian/debconf/conf.d/acl/25_exim4-config_check_mail exim4-4.62/debian/debconf/conf.d/acl/25_exim4-config_check_mail
--- exim4-4.62.old/debian/debconf/conf.d/acl/25_exim4-config_check_mail	1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.62/debian/debconf/conf.d/acl/25_exim4-config_check_mail	2006-07-19 21:10:59.000000000 +0200
@@ -0,0 +1,14 @@
+
+### acl/25_exim4-config_check_mail
+#################################
+
+# This access control list is used for every MAIL command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+#
+acl_check_mail:
+  deny
+    message = 503 polite people say hello first
+    condition = ${if def:sender_helo_name {no}{yes}}
+
+  accept
diff -Nur exim4-4.62.old/debian/debconf/conf.d/main/02_exim4-config_options exim4-4.62/debian/debconf/conf.d/main/02_exim4-config_options
--- exim4-4.62.old/debian/debconf/conf.d/main/02_exim4-config_options	2006-07-14 21:19:12.000000000 +0200
+++ exim4-4.62/debian/debconf/conf.d/main/02_exim4-config_options	2006-07-19 21:10:59.000000000 +0200
@@ -4,6 +4,15 @@
 
 
 # Defines the access control list that is run when an
+# SMTP MAIL command is received.
+#
+.ifndef MAIN_ACL_CHECK_MAIL
+MAIN_ACL_CHECK_MAIL = acl_check_mail
+.endif
+acl_smtp_mail = MAIN_ACL_CHECK_MAIL
+
+
+# Defines the access control list that is run when an
 # SMTP RCPT command is received.
 #
 .ifndef MAIN_ACL_CHECK_RCPT

More information about the Pkg-exim4-maintainers mailing list