HELO restrictions for Exim4

Posted by Steve on Wed 7 Jun 2006 at 16:21

One thing that I've noticed on my mailserver in recent months has been a large number of spam mails which identify themselves as being sent from my own IP address. Since they never are blocking them is a useful thing to do before any more intensive filtering is done.

When a mail is delivered to your mailserver the following happens:

• The mail server accepts the incoming connection.
• The client, delivering the mail, identifies itself using the HELO/EHLO command.
• The server approves this identification, and more dialog happens.

The client is supposed to use its own name/IP as a parameter to the HELO message, but increasingly this is being abused and clients will identify themselves as the IP address of the mail server to which they are connecting.

There are two simple ways to stop this:

• Configure Exim4 to deny messages which come from hosts which greet the server with its own IP address.
• Create a small text file containing IPs/names from which you don't wish to accept mail, and add your own IPs to it.

Exim4 may be configured in two different ways on Debian systems, either using a single monolithic file, or a "split configuration".

I prefer the split configuration, and believe this is the default behaviour, if that is the case then the file you wish to modify is going to be /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.

If you have the monolithic configuration then you'll need to find the relevant section inside the file /etc/exim4/exim4.conf.

Because exim knows which IP address it is listening upon it can be configured to drop messages which use that IP address in their HELO greeting.

This solves part of the problem, but it doesn't avoid senders identifying themselves as localhost, or localhost.localdomain.

Open the configuration file and look for the section labelled acl_check_rcpt:. After that add:

  # Forged hostname -HELOs as one of my own IPs
  deny message = Forged IP detected in HELO: $sender_helo_name
    log_message = Forged IP detected in HELO: $sender_helo_name
    condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}

This tests the name used in the HELO connection by the sender (sender_helo_name) against the IP address exim is listening upon (interface_address). If there is a match the message is rejected.

Manual configuration will allow you to block arbitary connections based upon the host the client identified itself as.

The downside is that you will have to remember to update your list of rejected addresses/names if you change your servers IP address.

The configuration is very similar to the previous example, we just need to create a list of addresses to deny in a file.

I have /etc/exim4/reject/helo which contains:

127.0.0.1
localhost
localhost.localdomain
80.68.80.176

The configuration snippet looks like this:

  #
  # Do not accept messages from hosts using our IPs in HELO
  #
  deny message     = Forged IP in HELO.
       log_message = HELO is our IP
       condition   = ${lookup {$sender_helo_name} \
                     lsearch{/etc/exim4/reject/helo} \
                     {yes}{no}}

Here we lookup the name the client connected with in the file /etc/exim4/reject/helo - and if it matches then we reject the message.

This is such a small change that it seems almost pointless making, but it does have a surprising effectiveness.

When Exim drops a message it will log it in /var/log/exim4/rejectlog. Looking in there I can see that there have been almost 100 messages dropped by this solution:

steve@skx2:~$ grep HELO /var/log/exim4/rejectlog | wc -l
96

This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):

• http://www.debian-administration.org/article/HELO_restrictions_for_Exim4

This article is copyright 2006 Steve - please ask for permission to republish or translate.