git://git.exim.org / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 25cd313)
Default config: reject on too many bad RCPT
authorPhil Pennock <phil+git@pennock-tech.com>
Fri, 30 Oct 2020 02:14:45 +0000 (22:14 -0400)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Thu, 27 May 2021 19:30:20 +0000 (21:30 +0200)
An example exploit failed against my system, because I had this sanity guard in
place; it's not a real security fix since a careful attacker could find enough
valid recipients to hit that problem, but it highlights that this is a useful
enough pattern that we should encourage its wider use.

(cherry picked from commit 2a636a39fff29b7c3da1798767a510dfed982a62)
(cherry picked from commit 346f96bad326893f9c1fa772a5b8ac35b1f8f7bd)

doc/doc-txt/ChangeLog patch | blob | history
src/src/configure.default patch | blob | history

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c219275fcdbfcb7f177067e5278fda3002eecd1f..d741e3532d9cee83d11dc86e8add4f4da6b72d69 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -256,6 +256,8 @@ HS/01 Enforce absolute PID file path name.
 
 HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
 
+PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
+
 
 Exim version 4.94
 -----------------
diff --git a/src/src/configure.default b/src/src/configure.default
index 6127a9bf081504f653ae56f461f81cdde78b27ab..87f255aa91fbdd7f6c8c383f633dc5eb04954c62 100644 (file)
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -458,6 +458,20 @@ acl_check_rcpt:
 
   require verify        = sender
 
+  # Reject all RCPT commands after too many bad recipients
+  # This is partly a defense against spam abuse and partly attacker abuse.
+  # Real senders should manage, by the time they get to 10 RCPT directives,
+  # to have had at least half of them be real addresses.
+  #
+  # This is a lightweight check and can protect you against repeated
+  # invocations of more heavy-weight checks which would come after it.
+
+  deny    condition     = ${if and {\
+                        {>{$rcpt_count}{10}}\
+                        {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+          message       = Rejected for too many bad recipients
+          logwrite      = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
   # Accept if the message comes from one of the hosts for which we are an
   # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
   # so we set control=submission to make Exim treat the message as a
Master Exim source repository