Sub OnHELO(oClient) progress?

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Sub OnHELO(oClient) progress?

Postby SorenR » 2016-08-10 18:11

Well... Not sure how this is progressing so...

Moved my personal changes forward from 5.4.2-B1964 to 5.6.5-B2367. Those of you with programming genes know how to work this file. Not a Git-Geek - did SVN back in the day, worked mostly on 'nix, thus the "diff" ;-)

Pitfalls (YES, there is...) If you assign ANY value to "Return.Value" in "Sub OnHELO(oClient)" the server WILL crash. Here, I've said it, be warned!

Code: Select all

diff -bur Z:\hMailServer-5.6.5\B2367/ScriptServer.cpp Z:\hMailServer-5.6.5\B2367.1/ScriptServer.cpp
--- Z:\hMailServer-5.6.5\B2367/ScriptServer.cpp   2016-05-24 13:12:26.000000000 +0200
+++ Z:\hMailServer-5.6.5\B2367.1/ScriptServer.cpp   2016-08-10 13:38:00.999999900 +0200
@@ -29,7 +29,8 @@
       has_on_error_(false),
       has_on_delivery_failed_(false),
       has_on_external_account_download_(false),
-      has_on_smtpdata_(false)
+      has_on_smtpdata_(false),
+      has_on_helo_(false)
    {
       
    }
@@ -97,6 +98,7 @@
          has_on_delivery_failed_ = DoesFunctionExist_("OnDeliveryFailed");
          has_on_external_account_download_ = DoesFunctionExist_("OnExternalAccountDownload");
          has_on_smtpdata_ = DoesFunctionExist_("OnSMTPData");
+         has_on_helo_ = DoesFunctionExist_("OnHELO");
 
       }
       catch (...)
@@ -251,6 +253,12 @@
             return;
          break;
 
+      case EventOnHELO:
+            event_name_ = _T("OnHELO");
+            if (!has_on_helo_)
+            return;
+         break;
+
       case EventCustom:
          break;
       default:
diff -bur Z:\hMailServer-5.6.5\B2367/ScriptServer.h Z:\hMailServer-5.6.5\B2367.1/ScriptServer.h
--- Z:\hMailServer-5.6.5\B2367/ScriptServer.h   2016-05-24 13:12:26.000000000 +0200
+++ Z:\hMailServer-5.6.5\B2367.1/ScriptServer.h   2016-08-10 13:02:02.999999900 +0200
@@ -28,6 +28,7 @@
         
          EventOnExternalAccountDownload = 1011,
          EventOnSMTPData = 1012,
+         EventOnHELO = 1013,
       };
 
       ScriptServer(void);
@@ -64,6 +65,7 @@
       bool has_on_delivery_failed_;
       bool has_on_external_account_download_;
       bool has_on_smtpdata_;
+      bool has_on_helo_;
 
       String script_contents_;
       String script_extension_;
diff -bur Z:\hMailServer-5.6.5\B2367/SMTPConnection.cpp Z:\hMailServer-5.6.5\B2367.1/SMTPConnection.cpp
--- Z:\hMailServer-5.6.5\B2367/SMTPConnection.cpp   2016-05-24 13:12:26.000000000 +0200
+++ Z:\hMailServer-5.6.5\B2367.1/SMTPConnection.cpp   2016-08-10 13:30:54.999999900 +0200
@@ -1513,6 +1513,51 @@
          return;
       }
 
+      //
+      // Event OnHELO
+      //
+      if (Configuration::Instance()->GetUseScriptServer())
+      {
+         std::shared_ptr<ScriptObjectContainer> pContainer = std::shared_ptr<ScriptObjectContainer>(new ScriptObjectContainer);
+         std::shared_ptr<Result> pResult = std::shared_ptr<Result>(new Result);
+         std::shared_ptr<ClientInfo> pClientInfo = std::shared_ptr<ClientInfo>(new ClientInfo);
+
+         pClientInfo->SetIPAddress(GetIPAddressString());
+         pClientInfo->SetPort(GetLocalEndpointPort());
+         pClientInfo->SetHELO(helo_host_);
+
+         pContainer->AddObject("HMAILSERVER_CLIENT", pClientInfo, ScriptObject::OTClient);
+         pContainer->AddObject("Result", pResult, ScriptObject::OTResult);
+
+         String sEventCaller = "OnHELO(HMAILSERVER_CLIENT)";
+         ScriptServer::Instance()->FireEvent(ScriptServer::EventOnHELO, sEventCaller, pContainer);
+
+         switch (pResult->GetValue())
+         {
+            case 1:
+            {
+               String sErrorMessage = "554 Rejected";
+               EnqueueWrite_(sErrorMessage);
+               LogAwstatsMessageRejected_();
+               return;
+            }
+            case 2:
+            {
+               String sErrorMessage = "554 " + pResult->GetMessage();
+               EnqueueWrite_(sErrorMessage);
+               LogAwstatsMessageRejected_();
+               return;
+            }
+            case 3:
+            {
+               String sErrorMessage = "453 " + pResult->GetMessage();
+               EnqueueWrite_(sErrorMessage);
+               LogAwstatsMessageRejected_();
+               return;
+            }
+         }
+      }
+
       SendEHLOKeywords_();
 
       if (current_state_ == INITIAL)
@@ -1531,6 +1576,51 @@
          return;
       }
 
+      //
+      // Event OnHELO
+      //
+      if (Configuration::Instance()->GetUseScriptServer())
+      {
+         std::shared_ptr<ScriptObjectContainer> pContainer = std::shared_ptr<ScriptObjectContainer>(new ScriptObjectContainer);
+         std::shared_ptr<Result> pResult = std::shared_ptr<Result>(new Result);
+         std::shared_ptr<ClientInfo> pClientInfo = std::shared_ptr<ClientInfo>(new ClientInfo);
+
+         pClientInfo->SetIPAddress(GetIPAddressString());
+         pClientInfo->SetPort(GetLocalEndpointPort());
+         pClientInfo->SetHELO(helo_host_);
+
+         pContainer->AddObject("HMAILSERVER_CLIENT", pClientInfo, ScriptObject::OTClient);
+         pContainer->AddObject("Result", pResult, ScriptObject::OTResult);
+
+         String sEventCaller = "OnHELO(HMAILSERVER_CLIENT)";
+         ScriptServer::Instance()->FireEvent(ScriptServer::EventOnHELO, sEventCaller, pContainer);
+
+         switch (pResult->GetValue())
+         {
+            case 1:
+            {
+               String sErrorMessage = "554 Rejected";
+               EnqueueWrite_(sErrorMessage);
+               LogAwstatsMessageRejected_();
+               return;
+            }
+            case 2:
+            {
+               String sErrorMessage = "554 " + pResult->GetMessage();
+               EnqueueWrite_(sErrorMessage);
+               LogAwstatsMessageRejected_();
+               return;
+            }
+            case 3:
+            {
+               String sErrorMessage = "453 " + pResult->GetMessage();
+               EnqueueWrite_(sErrorMessage);
+               LogAwstatsMessageRejected_();
+               return;
+            }
+         }
+      }
+
       EnqueueWrite_("250 Hello.");
 
       if (current_state_ == INITIAL)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-08-10 19:29

Thanks, now i get it...last changes should have been inside SMTPConnection.cpp and not in ScriptServer.cpp as documented here
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-08-10 19:54

RvdH wrote:Thanks, now i get it...last changes should have been inside SMTPConnection.cpp and not in ScriptServer.cpp as documented here

Oops... :oops: :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-08-11 17:47

Hmm... There has been a development... Something works when it really should not :mrgreen:

When I initially made this for my 5.4.2 I could not use "Result.Value" and "Result.Message" as the server would crash ... :roll:

When I ported my changes to a fresh 5.6.5-B2367 I assumed (I know... Assumption Is The Mother Of All Fuckups!) it would behave the same way but I left the code in there. Well, just played a bit with it - no errors!

Code: Select all

"DEBUG"   868   "2016-08-11 17:30:02.649"   "Executing event OnHELO"
"DEBUG"   868   "2016-08-11 17:30:02.649"   "Event completed"
"SMTPD"   868   166   "2016-08-11 17:30:02.649"   "127.0.0.1"   "SENT: 554 Whooa... Whaz' up?"


Code: Select all

   Sub OnHELO(oClient)
      Result.Message = "Whooa... Whaz' up?"
      Result.Value = 2
   End Sub


If someone wants to try it out I have a fresh compiled 5.6.5-B2367.1 "hMailServer.exe" on my webserver...
http://www.lolle.org/images/hmailserver/hmailserver.rar
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 5817
Joined: 2011-09-08 17:48

Re: Sub OnHELO(oClient) progress?

Postby jimimaseye » 2016-08-11 21:51

Thanks soren. I'm currently away on hols but when I get back to it I will be more than happy to test/use it. Will you keep the link available for some weeks?
Without work, with family, and grateful for any thought or consideration of help.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, 5.7 B2411 on test
Clamwin as Clamd service + sane defs https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-08-11 23:03

jimimaseye wrote:Thanks soren. I'm currently away on hols but when I get back to it I will be more than happy to test/use it. Will you keep the link available for some weeks?

If not, you have my email :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 5817
Joined: 2011-09-08 17:48

Re: Sub OnHELO(oClient) progress?

Postby jimimaseye » 2016-08-12 00:01

Out of interest is it an Install package or will it be a straight manual hmailserver.exe service program swapout (to replace the official one currently installed in the program directory)?
Without work, with family, and grateful for any thought or consideration of help.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, 5.7 B2411 on test
Clamwin as Clamd service + sane defs https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-08-12 10:30

Manual swap.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-08-13 15:00

Works like a charm!

"TCPIP" 7048 "2016-08-13 14:56:39.506" "TCP - 213.131.38.246 connected to *.*.*.*:25."
"SMTPD" 7048 55166 "2016-08-13 14:56:39.506" "213.131.38.246" "SENT: 220 mail.domain.com ESMTP"
"SMTPD" 7748 55166 "2016-08-13 14:56:39.584" "213.131.38.246" "RECEIVED: EHLO ylmf-pc"
"SMTPD" 7748 55166 "2016-08-13 14:56:39.599" "213.131.38.246" "SENT: 554 Back off!"
"TCPIP" 7048 "2016-08-13 14:56:48.803" "TCP - 213.131.38.246 connected to *.*.*.*:25."
"SMTPD" 7048 55167 "2016-08-13 14:56:48.803" "213.131.38.246" "SENT: 220 mail.domain.com ESMTP"
"SMTPD" 6420 55167 "2016-08-13 14:56:48.897" "213.131.38.246" "RECEIVED: EHLO ylmf-pc"
"SMTPD" 6420 55167 "2016-08-13 14:56:48.913" "213.131.38.246" "SENT: 554 Back off!"


DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-08-13 17:54

He he ;—)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-08-13 18:06

I have been fiddling around with your AddGreyList Sub inside OnHELO(oClient) event in EventHandlers.vbs

With below changes it will verify the ip against valid domain spf ip ranges en should block faked HELO/EHLO headers to be whitelisted

Code: Select all

   Sub OnHELO(oClient)
      If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
      If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub
      If (oClient.Port = 25) Then Wait(20)

      Dim oRegEx
      Set oRegEx = CreateObject("VBScript.RegExp")
      oRegEx.IgnoreCase = True
      oRegEx.Global = False

      oRegEx.Pattern= "^([a-z]+[0-9]{2}\-[a-z]{2}[0-9]\-)(obe\.outbound\.protection\.outlook\.com)$|" &_
                  "^(mail\-[a-z]{2}[0-9]\-f[0-9]{1,3})(\.google\.com)$|" &_
                  "^(mail[a-z]\-[a-z]{2})(\.linkedin\.com)$|" &_
                  "^(mx\-out\.facebook\.com)$|" &_
                  "^(mail[a-z]{1}\-[a-z]{2})(\.linkedin\.com)$|" &_
                  "^(spruce\-goose\-[a-z]{2}|spring\-chicken\-[a-z]{2})(\.twitter\.com)$|" &_
                  "^([a-z]{3}[\d]{3}\-[a-z]{2,3}[\d]{1}[a-z]{1}[\d]{1,2})(\.hotmail\.com)$"
                  
      If oRegEx.Test(oClient.HELO) Then Call AddGreyList(oClient.IPAddress, oClient.HELO)

      ...

      Set oRegEx = Nothing.
   End Sub


Code: Select all

Function getDomainName(byVal strHELO)
   dim aryDomain, str2ndLevel, strTopLevel
   getDomainName = ""
   If Len(strHELO) > 0 Then     
      aryDomain = Split(strHELO,".")
      If uBound(aryDomain) >= 1 Then
         str2ndLevel = aryDomain(uBound(aryDomain)-1)
         strTopLevel = aryDomain(uBound(aryDomain))         
         getDomainName = str2ndLevel & "." & strTopLevel
      End If
   End If
End Function


Code: Select all

Sub AddGreyList(ByVal strIP, ByVal strHELO)
 
   Dim oRegEx
   Set oRegEx = CreateObject("VBScript.RegExp")
   oRegEx.IgnoreCase = True
   oRegEx.Global = False
   
   Select Case getDomainName(strHELO)
   
   case "hotmail.com"
      ' https://mail.live.com/mail/ipspace.aspx
      oRegEx.Pattern= "^65\.54\.190\.([0-9]|[1-5][0-9]|6[0-3])$|" &_
                  "^65\.54\.190\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^65\.54\.190\.(1(2[8-9]|[3-8][0-9]|9[0-1]))$|" &_
                  "^65\.54\.190\.(1(9[2-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^65\.55\.116\.([0-9]|[1-5][0-9]|6[0-3])$|" &_
                  "^65\.55\.111\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^65\.55\.116\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^65\.55\.111\.(1(2[8-9]|[3-8][0-9]|9[0-1]))$|" &_
                  "^65\.55\.34\.([0-9]|[1-5][0-9]|6[0-3])$|" &_
                  "^65\.55\.34\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^65\.55\.34\.(1(2[8-9]|[3-8][0-9]|9[0-1]))$|" &_
                  "^65\.55\.34\.(1(9[2-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^65\.55\.90\.([0-9]|[1-5][0-9]|6[0-3])$|" &_
                  "^65\.55\.90\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^65\.55\.90\.(1(2[8-9]|[3-8][0-9]|9[0-1]))$|" &_
                  "^65\.55\.90\.(1(9[2-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^65\.54\.51\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^65\.54\.61\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^207\.46\.66\.([0-9]|1[0-5])$|" &_
                  "^157\.55\.0\.(1(9[2-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^157\.55\.1\.(1(2[8-9]|[3-8][0-9]|9[0-1]))$|" &_
                  "^157\.55\.2\.([0-9]|[1-5][0-9]|6[0-3])$|" &_
                  "^157\.55\.2\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$"
   case "outlook.com"   
      ' https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx (2016-06-24)
      oRegEx.Pattern= "^23\.103\.(1(3[2-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^23\.103\.(1(3[6-9]|4[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^23\.103\.(1(4[4-9]|5[0-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^23\.103\.(1(9[8-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^23\.103\.(2(0[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^40\.(9[2-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^40\.107\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^65\.55\.88\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^65\.55\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^94\.245\.120\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^104\.47\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^134\.170\.101\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^134\.170\.140\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^134\.170\.171\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^157\.55\.133\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^157\.56\.87\.(1(9[2-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^157\.56\.(1(1[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^157\.56\.112\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^157\.56\.116\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^157\.56\.120\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^207\.46\.51\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^207\.46\.100\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^207\.46\.108\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^207\.46\.163\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^213\.199\.154\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^213\.199\.180\.(1(2[8-9]|[3-8][0-9]|9[0-1]))$|" &_
                  "^216\.32\.(1(8[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$"
   case "twitter.com"   
      oRegEx.Pattern= "^199\.16\.(1(5[6-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^199\.59\.(1(4[8-9]|5[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^8\.25\.(1(9[4-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^8\.25\.(1(9[6-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^204\.92\.114\.203$|^204\.92\.114\.(2(0[4-5]))$|^23\.21\.83\.90$"
   case "facebook.com"   
      oRegEx.Pattern= "^69\.63\.179\.25$|^66\.220\.159\.18$|" &_
                  "^69\.63\.178\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^69\.63\.184\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^66\.220\.144\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^66\.220\.155\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^69\.171\.232\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^69\.171\.232\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^66\.220\.157\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^69\.171\.244\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$"         
   case "linkedin.com"   
      oRegEx.Pattern= "^199\.101\.162\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))$|" &_
                  "^108\.174\.3\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^108\.174\.6\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^216\.136\.162\.65$|^199\.101\.161\.130$"
   case "google.com"   
      ' https://support.google.com/a/answer/60764?hl=en
      oRegEx.Pattern= "^64\.18\.([0-9]|1[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^64\.233\.(1([6-8][0-9]|9[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^66\.102\.([0-9]|1[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^66\.249\.(8[0-9]|9[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^72\.14\.(1(9[2-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^74\.125\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^108\.177\.([8-9]|1[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^173\.194\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^207\.126\.(1(4[4-9]|5[0-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^209\.85\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^216\.58\.(1(9[2-9])|2([0-1][0-9]|2[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^216\.239\.(3[2-9]|[4-5][0-9]|6[0-3])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|" &_
                  "^172\.217\.([0-9]|[1-2][0-9]|3[0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$"
   Case Else
      oRegEx.Pattern= "^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$"
   End select

   If oRegEx.Test(strIP) Then
   ....
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-09-13 15:59

Is it safe to block anything that comes from direct IP, eg: 'HELO 172.111.198.131' and/or 'HELO [172.111.198.131]'?

I been running it for a while like below (and BAN them accordingly) and all results in ipranges ban entries contain entries from questionable origin, eg: India, Pakistan, Vietnam, China etc. etc.
I have had zero false entries this far


Code: Select all

      oRegEx.Pattern = "^(\[?" & oClient.IPAddress & "\]?)$|^(\.[a-z]+)$|^(.+\.\.[a-z]+)$|([\!\@\#\$\%\^\&\*\(\)\{\}])"
      If oRegEx.Test(oClient.HELO) Then
         Call AutoBan(oClient.IPAddress, oClient.HELO, 1, "h")
         Result.Message = "Rejected - HELO message should contain FQDN"
         Result.Value = 2
         Exit Sub
      End If
      
      oRegEx.Pattern = "^(\[?(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]?)$"
      If oRegEx.Test(oClient.HELO) Then
         REM local lan IP adresses
         ' oRegEx.Pattern = "^(\[?1((0)|(92\.168)|(72\.((1[6-9])|(2[0-9])|(3[0-1])))|(27))\..*\]?)$"
         ' If oRegEx.Test(oClient.HELO) Then
            ' Result.Value = 0
            ' Exit Sub
         ' Else   
            Call AutoBan(oClient.IPAddress, oClient.HELO, 1, "h")
            Result.Message = "Rejected - HELO message should contain FQDN"
            Result.Value = 2
            Exit Sub
         ' End If
      End If
      


http://www.linuxmagic.com/best_practice ... omain.html
http://faculty.cs.niu.edu/~rickert/cf/bad-ehlo.html
https://github.com/Exim/exim/wiki/AclHeloTricks
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-09-13 16:19

RFC 2821 (SMTP) says:
"In situations in which the SMTP client system does not have a meaningful domain name (e.g., when its address is dynamically allocated and no reverse mapping record is available), the client SHOULD send an address literal"

So... It's up to you if you want to go "above and beyond" :mrgreen:

Spammers break RFC rules all the time and if they can, so can we ... 8)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-09-13 16:24

Yep i noticed that line as well :wink:
in my results it are likely all spammers, considering their questionable origin...guess i'll stick with it!

BTW, the above rules only filter HELO entries on port 25, our clients all use port 587 as SMTP port (example thunderbird uses: HELO [127.0.0.1])
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-09-13 16:44

RvdH wrote:Yep i noticed that line as well :wink:
in my results it are likely all spammers, considering their questionable origin...guess i'll stick with it!

BTW, the above rules only filter HELO entries on port 25, our clients all use port 587 as SMTP port (example thunderbird uses: HELO [127.0.0.1])

Thunderbird should resolve it's own address with an rDNS lookup, if it fails to do so and there IS a FQDN for the client it must be an old bug in Thunderbird from 2009 that has resurfaced...

https://bugzilla.mozilla.org/show_bug.cgi?id=279525
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-09-14 15:03

This all got me thinking and makes me wonder if something like a OnAUTH(oClient) event handler could be useful for scripting, eg:

Return String Username
Return Boolean IsAuthenticated
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
SorenR
Senior user
Senior user
Posts: 2247
Joined: 2006-08-21 15:38
Location: Denmark

Re: Sub OnHELO(oClient) progress?

Postby SorenR » 2016-09-14 17:34

RvdH wrote:This all got me thinking and makes me wonder if something like a OnAUTH(oClient) event handler could be useful for scripting, eg:

Return String Username
Return Boolean IsAuthenticated

Hmm... oClient only have 4 members; HELO, IPAddress, Port and Username...

Perhaps two events?

OnAUTH(oClient) and OnAUTHFailed(oClient, sReason)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-09-14 17:41

SorenR wrote:
RvdH wrote:This all got me thinking and makes me wonder if something like a OnAUTH(oClient) event handler could be useful for scripting, eg:

Return String Username
Return Boolean IsAuthenticated

Hmm... oClient only have 4 members; HELO, IPAddress, Port and Username...

Perhaps two events?

OnAUTH(oClient) and OnAUTHFailed(oClient, sReason)



Add a member to oClient? :)

Anyway, i'm trying to build something on my dev box...without much luck until now :)
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-09-16 16:01

Anyone can give me some pointers where to add oClient methods?
So far i have found these items in: InterfaceClient.h, InterfaceClient,cpp, ClientInfo.h, ClientInfo.cpp

Still trying to get something like oClient.Authenticated Boolean value and/or oClient.STARTTLS Boolean value as requested here
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-10-21 14:05

For the enthusiasts...

hMaiiServer 5.6.6-B2383.3

It contains these 3 fixes
  • Supports Sub OnHELO(oClient) event, issue #153
  • Fixed Incorrect DEBUG logging for event 'OnDeliverMessage', issue #181
  • Include HTMLBody into IMAP TEXT search, pull #193

5.6.6-B2383.3.7z
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2016-12-13 18:11

5.6.6-B2383.6

it contains the previous fixes from 5.6.6-B2383.3, plus:

  • Fixed implicit conversion: "int" to "unsigned char" pull #204
  • Faulty: SMTP 'Disconnect client after too many invalid commands' pull issue #160
  • SMTP server error "550 Unsupported ESMTP extension" on MAIL FROM:... AUTH=<> [with fix] issue #164

5.6.6-B2383.6.7z
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2017-01-18 16:49

5.6.6-B2383.7

it contains the previous fixes from 5.6.6-B2383.6, plus:

  • Removed warning if backup was more than 1,5GB and 15GB limit. There's no longer a recommended max-size - the time will vary with the installation size. issue #69

5.6.6-B2383.7.7z


Beta builds:

5.6.7-B2405.6

  • Supports Sub OnHELO(oClient) event, issue #153
  • Fixed Incorrect DEBUG logging for event 'OnDeliverMessage', issue #181
  • Include HTMLBody into IMAP TEXT search, pull #193
  • Fixed implicit conversion: "int" to "unsigned char" pull #204
  • Faulty: SMTP 'Disconnect client after too many invalid commands' pull issue #160
  • SMTP server error "550 Unsupported ESMTP extension" on MAIL FROM:... AUTH=<> [with fix] issue #164

5.6.7-B2405.6.7z

5.6.7-B2405.7

it contains the previous fixes from 5.6.7-B2405.6, plus:

  • Removed warning if backup was more than 1,5GB and 15GB limit. There's no longer a recommended max-size - the time will vary with the installation size. issue #69

5.6.7-B2405.7.7z
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
jimimaseye
Moderator
Moderator
Posts: 5817
Joined: 2011-09-08 17:48

Re: Sub OnHELO(oClient) progress?

Postby jimimaseye » 2017-01-18 17:19

Can you clarify something: what is the difference between 5.6.6-b2383.7 and beta (5.6.7-b2405.7) ? Because the changelog mods being shown against both seem to be the same (from 5.6.6-B2383.3). What makes them different/what am I not seeing?
Without work, with family, and grateful for any thought or consideration of help.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, 5.7 B2411 on test
Clamwin as Clamd service + sane defs https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2017-01-18 17:30

Read the beta changelog?

https://www.hmailserver.com/changelog/?version=5.6.7

But in short...

5.6.6-b2383.7 = OpenSSL 1.0.1u
5.6.7-b2405.7 = OpenSSL upgraded from 1.0.1u to 1.0.2j, Upgraded BOOST from 1.56.0 to 1.63.0, https://github.com/hmailserver/hmailserver/issues/208
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
jimimaseye
Moderator
Moderator
Posts: 5817
Joined: 2011-09-08 17:48

Re: Sub OnHELO(oClient) progress?

Postby jimimaseye » 2017-01-18 17:53

Gotcha. Now I understand.

So the BETA versions are Martins genuine betas with your additions (OnHELO etc).
Without work, with family, and grateful for any thought or consideration of help.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, 5.7 B2411 on test
Clamwin as Clamd service + sane defs https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2017-01-18 17:59

Exactly
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
jimimaseye
Moderator
Moderator
Posts: 5817
Joined: 2011-09-08 17:48

Re: Sub OnHELO(oClient) progress?

Postby jimimaseye » 2017-01-18 18:11

Effectively you have brought forward many of the 5.7 fixes ('issues' fixed) into existing 5.6.6 (with your OnHELO addition) for people to use . So people do not have to wait for martin to release 5.7 for these. (Just as well as he seems to be off the boil regarding moving forward with this project, it doesnt seem to be coming forward at any speed - too busy with work etc I presume).
Without work, with family, and grateful for any thought or consideration of help.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, 5.7 B2411 on test
Clamwin as Clamd service + sane defs https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 5817
Joined: 2011-09-08 17:48

Re: Sub OnHELO(oClient) progress?

Postby jimimaseye » 2017-02-02 20:42

RvdH wrote:5.6.6-B2383.7

it contains the previous fixes from 5.6.6-B2383.6, plus:
.
.
.

So, Ruud, with your new found Hmailserver coding skills, whats the chances of you making this mod: https://github.com/hmailserver/hmailserver/issues/178 ?

Adding an Autoban is already in the source somewhere, DisableAUTHList is already in the source somewhere, maybe you can work out how to add the autobanning to the DisableAUTHList function?
Without work, with family, and grateful for any thought or consideration of help.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, 5.7 B2411 on test
Clamwin as Clamd service + sane defs https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2017-02-08 22:25

jimimaseye wrote:
RvdH wrote:5.6.6-B2383.7

it contains the previous fixes from 5.6.6-B2383.6, plus:
.
.
.

So, Ruud, with your new found Hmailserver coding skills, whats the chances of you making this mod: https://github.com/hmailserver/hmailserver/issues/178 ?

Adding an Autoban is already in the source somewhere, DisableAUTHList is already in the source somewhere, maybe you can work out how to add the autobanning to the DisableAUTHList function?


I doubt with my "skills" this can be accomplished :wink:

At the time you posted that topic i agreed this could be useful, but now few months later i have to say it seems unnecessary (at least for me) i hardly see login attempts on port 25 anymore...so it seems the abusers/attackers do learn after a while and simply give up trying
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx

User avatar
RvdH
Senior user
Senior user
Posts: 322
Joined: 2008-06-27 14:42

Re: Sub OnHELO(oClient) progress?

Postby RvdH » 2017-02-08 22:58

btw, with the fixes of issue #160 the 'Authentication not enabled' error contributes to the Disconnect client after too many invalid commands counter


Code: Select all

      if (!GetAuthIsEnabled_())
      {
         SendErrorResponse_(504, "Authentication not enabled.");
         return;
      }


Code: Select all

   void
   SMTPConnection::SendErrorResponse_(int iErrorCode, const String &sResponse)
   {
      if (iErrorCode >= 500 && iErrorCode <= 599)
      {
         cur_no_of_invalid_commands_++;

         if (Configuration::Instance()->GetDisconnectInvalidClients() &&
            cur_no_of_invalid_commands_ > Configuration::Instance()->GetMaximumIncorrectCommands())
         {
            // Disconnect
            EnqueueWrite_("Too many invalid commands. Bye!");
            pending_disconnect_ = true;
            EnqueueDisconnect();
            return;
         }
      }

      String sData;
      sData.Format(_T("%d %s"), iErrorCode, sResponse.c_str());

      EnqueueWrite_(sData);
   }



Maybe it could be worth to issue a immediate disconnect after the 'Authentication not enabled' error , eg:

Code: Select all

      if (!GetAuthIsEnabled_())
      {
         SendErrorResponse_(504, "Authentication not enabled.");
         pending_disconnect_ = true;
         EnqueueDisconnect();
         return;
      }
DNSBL Lookup: d-fault.nl/DNSBLLookup
DNS Lookup: d-fault.nl/DNSTools
CIDR to RegEx: d-fault.nl/CIDRtoRegEx


Return to “Development & alpha discussions”



Who is online

Users browsing this forum: mpdyson and 0 guests