I just looked at: https://github.com/Exim/exim/wiki/BlockCracking and was wondering if this could be added to the latest spamblocker exim.conf file and if so where to put it.
and:
and:
Code:
accept authenticated = *
set acl_m_user = $authenticated_id
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | $exim_path -f root WARNTO"}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
control = submission/domain=
and:
Code:
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or username from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user
accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | $exim_path -f root WARNTO"}}
control = freeze/no_tell
control = submission/domain=
add_header = X-Relayed-From: $acl_m_user
accept hosts = +relay_from_hosts
control = submission/domain=
and:
Code:
acl_smtp_connect = acl_check_connect
acl_smtp_auth = acl_check_auth
acl_smtp_mail = acl_check_mail
acl_smtp_quit = acl_check_quit
acl_smtp_notquit = acl_check_notquit
LIM = 100
PERIOD = 1h
WARNTO = [email protected]
SHELL = /bin/sh
Code:
acl_check_auth:
drop message = authentication is allowed only once per message in order \
to slow down bruteforce cracking
set acl_m_auth = ${eval10:0$acl_m_auth+1}
condition = ${if >{$acl_m_auth}{2}}
delay = 22s
drop message = blacklisted for bruteforce cracking attempt
set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
condition = ${if >{$acl_c_authnomail}{4}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | $exim_path -f root WARNTO"}}
accept set acl_c_authhash = ${if match{$smtp_command_argument}\
{\N(?i)^(?:plain|login) (.+)$\N}{${nhash_1000:$1}}}
acl_check_quit:
warn condition = $authentication_failed
condition = ${if def:acl_c_authhash}
ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash
set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}
warn condition = $authentication_failed
logwrite = :reject: quit after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
ratelimit = 7 / 5m / strict / per_conn
condition = ${if or{\
{!def:acl_c_authhash}\
{<{$acl_c_hashrate}{2}}\
}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | $exim_path -f root WARNTO"}}
acl_check_notquit:
warn condition = $authentication_failed
condition = ${if def:acl_c_authhash}
ratelimit = 0 / 5m / strict / $sender_host_address-$acl_c_authhash
set acl_c_hashrate = ${sg{$sender_rate}{[.].*}{}}
warn condition = $authentication_failed
logwrite = :reject: $smtp_notquit_reason after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
condition = ${if eq{$smtp_notquit_reason}{connection-lost}}
ratelimit = 7 / 5m / strict / per_conn
condition = ${if or{\
{!def:acl_c_authhash}\
{<{$acl_c_hashrate}{2}}\
}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | $exim_path -f root WARNTO"}}
acl_check_mail:
accept set acl_c_authnomail = 0
acl_check_connect:
drop message = $sender_host_address locally blacklisted for a bruteforce \
auth (username+password) cracking attempt
condition = ${if exists{$spool_directory/blocked_IPs}}
condition = ${lookup{$sender_host_address}lsearch\
{$spool_directory/blocked_IPs}{1}{0}}
accept
hash:
accept set acl_c_authhash = ${nhash_1000:$acl_arg1}