The simplest way to add SMTP transaction delays is to append a delay control to the final accept statement in each of the ACLs we have declared, as follows:
accept delay = 20s |
In addition, you may want to add progressive delays in the deny statement pertaining to invalid recipients ("unknown user") within acl_rcpt_to. This is to slow down dictionary attacks. For instance:
deny message = unknown user !verify = recipient/callout=20s,defer_ok,use_sender delay = ${eval:$rcpt_fail_count*10 + 20}s |
It should be noted that there is no point in imposing a delay in acl_data, after the message data has been received. Ratware commonly disconnect at this point, before even receiving a response from your server. In any case, whether or not the client disconnects at this point has no bearing on whether Exim will proceed with the delivery of the message.
If you are like me, you want to be a little bit more selective about which hosts you subject to SMTP transaction delays. For instance, as described earlier in this document, you may decide that a match from a DNS blacklist or a non-verifiable EHLO/HELO greeting are not conditions that by themselves warrant a rejection - but they may well be sufficient triggers for transaction delays.
In order perform selective delays, we want move some of the checks that we previously did in acl_rcpt_to to earlier points in the SMTP transaction. This is so that we can start imposing the delays as soon as we see any sign of trouble, and thereby increase the chance of causing synchronization errors and other trouble for ratware.
Specifically, we want to:
Move the DNS checks to acl_connect.
Move the Hello checks to acl_helo. One exception: We cannot yet check for a missing Hello greeting at this point, because this ACL is processed in response to an EHLO or HELO command. We will do this check in the acl_mail_from ACL.
Move the Sender Address Checks checks to acl_mail_from.
However, for reasons described above, we do not want to actually reject the mail until after the RCPT TO: command. Instead, in the earlier ACLs, we will convert the various deny statements into warn statements, and use Exim's general purpose ACL variables to store any error messages or warnings until after the RCPT TO: command. We do that as follows:
If we decide to reject the delivery, we store an error message to be used in the forthcoming 550 response in $acl_c0 or $acl_m0:
If we identify the condition before a mail delivery has started (i.e. in acl_connect or acl_helo), we use the connection-persistent variable $acl_c0
Once a mail transaction has started (i.e. after the MAIL FROM: command), we copy any contents from $acl_c0 into the message-specific variable $acl_m0, and use the latter from this point forward. This way, any conditions identified in this particular message will not affect any subsequent messages received in the same connection.
Also, we store a corresponding log message in $acl_c1 or $acl_m1, in a similar manner.
If we come across a condition that does not warrant an outright rejection, we only store a warning message in $acl_c1 or $acl_m1. Once a mail transaction has started (i.e. in acl_mail_from), we add any content in this variable to the message header as well.
If we decide to accept a message without regard to the results of any subsequent checks (such as a SpamAssassin scan), we set a flag in $acl_c0 or $acl_m0, but $acl_c1 and $acl_m1 empty.
At the beginning of every ACL to and including acl_mail_from, we record the current timestamp in $acl_m2. At the end of the ACL, we use the presence of $acl_c1 or $acl_m1 to trigger a SMTP transaction delay until a total of 20 seconds has elapsed.
The following table summarizes our use of these variables:
Table A-1. Use of ACL connection/message variables
Variables: | $acl_[cm]0 unset | $acl_[cm]0 set |
---|---|---|
$acl_[cm]1 unset | (No decision yet) | Accept the mail |
$acl_[cm]1 set | Add warning in header | Reject the mail |
As an example of this approach, let us consider two checks that we do in response to the Hello greeting; one that will reject mails if the peer greets with an IP address, and one that will warn about an unverifiable name in the greeting. Previously, we did both of these checks in acl_rcpt_to - now we move them to the acl_helo ACL.
acl_helo: # Record the current timestamp, in order to calculate elapsed time # for subsequent delays warn set acl_m2 = $tod_epoch # Accept mail received over local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. # Also accept mails received from hosts for which we relay mail. # accept hosts = : +relay_from_hosts # If the remote host greets with an IP address, then prepare a reject # message in $acl_c0, and a log message in $acl_c1. We will later use # these in a "deny" statement. In the mean time, their presence indicate # that we should keep stalling the sender. # warn condition = ${if isip {$sender_helo_name}{true}{false}} set acl_c0 = Message was delivered by ratware set acl_c1 = remote host used IP address in HELO/EHLO greeting # If HELO verification fails, we prepare a warning message in acl_c1. # We will later add this message to the mail header. In the mean time, # its presence indicates that we should keep stalling the sender. # warn condition = ${if !def:acl_c1 {true}{false}} !verify = helo set acl_c1 = X-HELO-Warning: Remote host $sender_host_address \ ${if def:sender_host_name {($sender_host_name) }}\ incorrectly presented itself as $sender_helo_name log_message = remote host presented unverifiable HELO/EHLO greeting. # # ... additional checks omitted for this example ... # # Accept the connection, but if we previously generated a message in # $acl_c1, stall the sender until 20 seconds has elapsed. accept set acl_m2 = ${if def:acl_c1 {${eval:20 + $acl_m2 - $tod_epoch}}{0}} delay = ${if >{$acl_m2}{0}{$acl_m2}{0}}s |
Then, in acl_mail_from we transfer the messages from $acl_c{0,1} to $acl_m{0,1}. We also add the contents of $acl_c1 to the message header.
acl_mail_from: # Record the current timestamp, in order to calculate elapsed time # for subsequent delays warn set acl_m2 = $tod_epoch # Accept mail received over local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. # Also accept mails received from hosts for which we relay mail. # accept hosts = : +relay_from_hosts # If present, the ACL variables $acl_c0 and $acl_c1 contain rejection # and/or warning messages to be applied to every delivery attempt in # in this SMTP transaction. Assign these to the corresponding # $acl_m{0,1} message-specific variables, and add any warning message # from $acl_m1 to the message header. (In the case of a rejection, # $acl_m1 actually contains a log message instead, but this does not # matter, as we will discard the header along with the message). # warn set acl_m0 = $acl_c0 set acl_m1 = $acl_c1 message = $acl_c1 # # ... additional checks omitted for this example ... # # Accept the sender, but if we previously generated a message in # $acl_c1, stall the sender until 20 seconds has elapsed. accept set acl_m2 = ${if def:acl_c1 {${eval:20 + $acl_m2 - $tod_epoch}}{0}} delay = ${if >{$acl_m2}{0}{$acl_m2}{0}}s |
All the pertinent changes are incorporated in the Final ACLs, to follow.