From c88967df2d2907b5a3d1440678b8c4860d221442 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 13 Feb 2025 21:30:04 +0100 Subject: [PATCH] `filter.d/exim.conf` - introduces mode `more` (several rules moved from mode `normal` to `more`), because: - they have basically nothing with authentication; - they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned; - to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc); --- config/filter.d/exim.conf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index bc36ebf0..de7f6901 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -15,17 +15,19 @@ before = exim-common.conf prefregex = ^%(__prefix_line)s.+$ -failregex = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ - ^\s?\w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$ - ^%(host_info)s rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ +failregex = ^\s?\w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + > + +mdre-more = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ + ^%(host_info)s rejected RCPT (?:[^@]+@\S+:)? ^\s?SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+")%(host_info)s (?:next )?input=".*"\s*$ ^\s?SMTP call from%(host_info)s dropped: too many (?:(?:nonmail|unrecognized) commands|syntax or protocol errors) ^\s?SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"%(host_info)s [A-Z]+ (?:command used when not advertised|authentication mechanism not supported)\s*$ ^\s?no MAIL in SMTP connection from%(host_info)s ^\s?(?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$ - > -mdre-aggressive = ^\s?no host name found for IP address $ +mdre-aggressive = %(mdre-more)s + ^\s?no host name found for IP address $ ^\s?no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$ ^%(host_info)s dropped by '[^']+' ACL: