From 77467eeebddd6853c04f462be8117a24f3603c53 Mon Sep 17 00:00:00 2001 From: myvesta <38690722+myvesta@users.noreply.github.com> Date: Wed, 12 Apr 2023 19:58:32 +0200 Subject: [PATCH] exim4 HELO authenticated patch --- install/debian/10/exim/exim4.conf.template | 10 ++++++---- install/debian/11/exim/exim4.conf.template | 10 ++++++---- install/debian/11/exim/exim4.conf.template-RC | 10 ++++++---- install/debian/8/exim/exim4.conf.template | 10 ++++++---- install/debian/9/exim/exim4.conf.template | 10 ++++++---- .../tools/patches/exim_helo_authenticated.patch | 14 ++++++++++++++ 6 files changed, 44 insertions(+), 20 deletions(-) create mode 100644 src/deb/for-download/tools/patches/exim_helo_authenticated.patch diff --git a/install/debian/10/exim/exim4.conf.template b/install/debian/10/exim/exim4.conf.template index 70577b6e..0e5afaac 100644 --- a/install/debian/10/exim/exim4.conf.template +++ b/install/debian/10/exim/exim4.conf.template @@ -91,16 +91,18 @@ acl_check_mail: deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL - drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} - condition = ${if match{${lc:$sender_host_name}}{.telenor.rs}{false}{true}} condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} delay = 45s - drop condition = ${if isip{$sender_helo_name}} + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) - drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = $interface_address is _my_ address accept diff --git a/install/debian/11/exim/exim4.conf.template b/install/debian/11/exim/exim4.conf.template index 4b3c0dd9..72e3f668 100644 --- a/install/debian/11/exim/exim4.conf.template +++ b/install/debian/11/exim/exim4.conf.template @@ -91,16 +91,18 @@ acl_check_mail: deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL - drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} - condition = ${if match{${lc:$sender_host_name}}{.telenor.rs}{false}{true}} condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} delay = 45s - drop condition = ${if isip{$sender_helo_name}} + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) - drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = $interface_address is _my_ address accept diff --git a/install/debian/11/exim/exim4.conf.template-RC b/install/debian/11/exim/exim4.conf.template-RC index 36ba2a0d..e5ba36ab 100644 --- a/install/debian/11/exim/exim4.conf.template-RC +++ b/install/debian/11/exim/exim4.conf.template-RC @@ -108,16 +108,18 @@ acl_check_mail: deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL - drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} - condition = ${if match{${lc:$sender_host_name}}{.telenor.rs}{false}{true}} condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} delay = 45s - drop condition = ${if isip{$sender_helo_name}} + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) - drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = $interface_address is _my_ address accept diff --git a/install/debian/8/exim/exim4.conf.template b/install/debian/8/exim/exim4.conf.template index e49bbf4e..261947d2 100644 --- a/install/debian/8/exim/exim4.conf.template +++ b/install/debian/8/exim/exim4.conf.template @@ -87,16 +87,18 @@ acl_check_mail: deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL - drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} - condition = ${if match{${lc:$sender_host_name}}{.telenor.rs}{false}{true}} condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} delay = 45s - drop condition = ${if isip{$sender_helo_name}} + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) - drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = $interface_address is _my_ address accept diff --git a/install/debian/9/exim/exim4.conf.template b/install/debian/9/exim/exim4.conf.template index e49bbf4e..261947d2 100644 --- a/install/debian/9/exim/exim4.conf.template +++ b/install/debian/9/exim/exim4.conf.template @@ -87,16 +87,18 @@ acl_check_mail: deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL - drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid + drop !authenticated = * + message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}} - condition = ${if match{${lc:$sender_host_name}}{.telenor.rs}{false}{true}} condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}} delay = 45s - drop condition = ${if isip{$sender_helo_name}} + drop !authenticated = * + condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) - drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} + drop !authenticated = * + condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = $interface_address is _my_ address accept diff --git a/src/deb/for-download/tools/patches/exim_helo_authenticated.patch b/src/deb/for-download/tools/patches/exim_helo_authenticated.patch new file mode 100644 index 00000000..9dd8dbad --- /dev/null +++ b/src/deb/for-download/tools/patches/exim_helo_authenticated.patch @@ -0,0 +1,14 @@ +--- /etc/exim4/exim4.conf.template.orig 2023-04-12 19:05:20.745847763 +0200 ++++ /etc/exim4/exim4.conf.template 2023-04-12 19:34:29.000000000 +0200 +@@ -94 +94,2 @@ +- drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid ++ drop !authenticated = * ++ message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid +@@ -100 +101,2 @@ +- drop condition = ${if isip{$sender_helo_name}} ++ drop !authenticated = * ++ condition = ${if isip{$sender_helo_name}} +@@ -103 +105,2 @@ +- drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} ++ drop !authenticated = * ++ condition = ${if eq{[$interface_address]}{$sender_helo_name}}