Exim4 blacklists seemingly not working [Resolved]


#14

I find the exim docs tight and often intense. Still, it’s useful – if I’m found lying on the floor I only need to say “exim”.


#15

I’ve been rummaging around the fourms looking for an answer to something related to the firewall blacklists, and that is IPv6 addresses.

I have made the assumption that I can just touch a file into /etc/symbiosis/firewall/blacklist.d/ using the IPv6 address as the filename, no different from IPv4 addresses.

The above is kind of unrelated to this thread, although below it isn’t.

One thing I have noticed from my tests, is that sender locally blacklisted sends an email out to the failed sender, with a Subject of “Mail Delivery Failed”, so at least it isn’t bouncing with dirty, perverted subjects.

I have attempted my first regular expression based rule in by_sender, I think this should work, just awaiting another spam from them.

\N^*@sut\d{1}\.co\.uk$\N

Should catch sut1. co .uk, sut2. co .uk all the way up to sut9, unless I don’t need the \Ns


#16

It should work but it’s masked to /64 – I’m not sure of the syntax but I’d try something like:
2001:dead:beef::|64

That’s fully out of whack. The blacklist should be consulted during the initial negotiation and result in a protocol rejection before you’ve even seen the message. (The sending mailserver will then probably report the failed delivery to the sender).


#17

This is what the automatic system based on patterns does for files in the blacklist directory. It stores the top part of the IPv6, and replaces / by | because / is inconvenient in filenames. For exim - you need to single quote IPv6 addresses in files, because the : character is inconvenient for Exim - it’s a separator.


#18

Not entirely sure what you mean here, the Failed Message bounce is correct, no? I do know that any sender that is hitting my firewall blocks won’t get a reply, but it is somewhat strange that the exim4 is rejecting receipt and sending it back. I would prefer it’s completely ignored, but that leads me down the roundcube filter path…

Edit: I’m wondering whether your “out of whack” statement is related to all my DKIM stuff? If so, then it’s unrelated as I haven’t setup all that on any vhost but my test vhost. If it isn’t, then I’m still baffled. :smiley:

IPv6 firewall rules updated, tyvm @hillside and @alphacabbage1


#19

Not if the message is being sent by you (exim).

I might be misreading but you seemed to be saying that a hit in /etc/exim4/blacklist/by_sender results in exim sending a Failed Delivery Notification – an email message – to the blocked sender.

Exim should say “go away” during the initial part of the smtp transaction (“550 Your email address or domain is locally blacklisted.”), log the incident and no more. The mailserver that’s been told to go away would usually issue a Failed Deliverty Notification to its sender, quoting the 5xx error and part of the message it tried to send.

If Exim is sending a message as a result of the rejection then something is wrong.


#20

Ahhhh we are both confused, well, maybe I’m confused. But I get what you’re saying now, I just never understood how it arrived.

Basically, I saw the log message rejected receipt for each of the blocked senders, and thought to myself, “does this send a message back?”. So I added my gmail to the by_sender file, then sent an email to the server.

The server rejected the message in the way it rejected other messages, but then in gmail I saw the Mail Delivery Failed, so my immediate thought was, “Yes, it does send a reply.” without thinking any deeper on the matter, although I did look at the source and I thought it looked a bit odd, but pay no mind to it.

So you are correct, it doesn’t send replies to blacklisted senders, it’s just me playing too fast and loose.


#21

Correction on my previous posting… IPv6 addresses need to be wrapped in double quotes, and not single quotes as I said.


#22

I have now confirmed that dropping IPv6 addresses into /etc/symbiosis/firewall/blacklist.d as filenames in the normal format of an IPv6 address, but with /64 on the end to signify a single IP.

The file needs to be created as previously noted by replacing the / (slash) with a | (pipe), however, it must be noted that you have to escape the pipe when creating the file.

Proof it works:

 Feb 12 10:26:18 account snoopy[26401]: [uid:0 sid:492 tty:(none) cwd:/ filename:/sbin/ip6tables]: /sbin/ip6tables -A blacklist --src 240a:618b:0:d1::/64 -j DROP

Oh hang on, unless that’s just me adding the rule… But no! It’s dated today and I added that rule yesterday… but scrolling up a bit revealed the truth. It’s iptables save and ip6tables save, was wondering why I had them all hitting at the same time. So, no in the end this is proof of nothing other than the rule successfully being added to ip6tables rules. Whether it actually works or not, hasn’t actually been proven, but looking at the rule, it certainly looks fine to me.


#23

At the time, I was unclear whether you were adding files to /etc/symbiosis/firewall/blacklist.d, or adding direct IP addresses into one of the Exim blacklist files. My comments refer to adding IPv6 addresses to the latter.


#24

Should work too, no problem having multiple options available, I haven’t even looked at the Exim blacklist files, but I’ll be sure to take a peek.


#25

Also if the file ends in .auto it’s likely to have been added by a patterns rule. If you place a file in the blacklist.d directory, iptables is updated pretty instantly I’ve found.

And it will rebuild its tables every 15 minutes, so the logs will show that happening.


#26

Oh it definitely shows it in the logs, over and over, everytime I touch a file into there the firewall is pretty much immediately updated, which ofc makes it difficult to c&p IP addresses when it’s scrolling by so fast. :smiley:

Cracked it though, just banning SSH attackers at the moment. Eventually I’ll move onto fail2ban but for now, if I can just reduce the hits per day a little, then maybe I’ll have time to introduce further changes.


#27

Try
tail -f logfile | less

or better

tail -f logfile | grep SSH | less

where SSH is something on the line you are looking for,

If you have a restricted set of people using SSH, then you can get sshd to listen on some other random port and switch to using that for access. Once it’s working, you can then ban access to port 22. This goes some way to just keeping the script kiddies out. You can always get in using the console if this goes wrong and you find yourself locked out.


#28

I’m on managed, so I’ve been advised by support that it’s not a great idea to move the port. I did do some usual SSH hardening, but that just locked support out of the server.

I’m live tailing the files, but I’m also watching for other stuff, I often grep too, but I’ve never tried grepping a live tail… Thanks for the tips.


Talking of zgrepping and grepping, here’s a quick bit of bash for those hunting down blacklisteds:

zgrep 'blacklisted by zen' /var/log/exim4/mainlog* | grep '2019-02-15' | wc -l

Will get you a blacklisted count for each day, very useful to see if you get anywhere near the Spamhaus daily limit (I don’t, thankfully).


#29

Just tor info., no daily counts but the rblinfo script born in Email defences; additional DNS RBL outputs this type of thing…

admin@vm1:/etc/exim4$ /srv/.all-sites/utils/rblinfo

   17 rbl services configured (non-spamhaus might 'tag')
   12 rbl services show log rejection messages

  service                         sites     rejections
--------------------------------------------------------
  zen.spamhaus.org                   31            693
  hostkarma.junkemailfilter.com      14             46
  all.s5h.net                        14             44
  b.barracudacentral.org             20             35
  all.spamrats.com                   13              8
  dbl.spamhaus.org                   20              6
  multi.uribl.com                    20              5
  truncate.gbudb.net                 20              5
  ubl.unsubscore.com                 16              5
  dnsbl.dronebl.org                  14              4
  all.bl.blocklist.de                16              1
  bl.spamcop.net                     16              1
  bl.mailspike.net                   18              0
  rhsbl.sorbs.net                    12              0
  dyna.spamrats.com                   5              0
  noptr.spamrats.com                  5              0
  dnsbl.sorbs.net                     1              0
  TOTAL                               -            853
--------------------------------------------------------
  spamassassin                       31             10
  clamav                             31             74
--------------------------------------------------------
  v20180729 : ~0.16s

It also counts ‘local’ rejections if /etc/exim/blacklist/by_sender exists.

At least one person managed to break it (blank output) but I never found out how.


#30

Definitely gonna have to play with that (Next week - before I break the server over the weekend again).

I looked in that thread a number of times and that script always added to my confusion, but now, you have eased that confusion.


#31

If you come back as @angrybanana I’ll delete it. :grinning:


#32

lol, easy now fella. :smiley:

Wouldn’t it be angrytomato or angryredpepper anyway?


#33

:slight_smile: Yes or some would say ‘angryblue’ but in my defence, I was being flippant.