logs archiveIRC Archive / Freenode / #exim / 2015 / September / 5 / 1
does anyone know much about setting up exim monitoring in mrtg?
right now I'd settle for being pointed at a reasonable guide...
Hi. I see this in my log every 10 seconds: "no host name found for IP address"
no other errors appear in the mainlog or rejectlog
so I guess this is either a misconfigured mail server or a spam/brute force bot
or even worse: a misconfigured brute force bot
it will do a "EHLO ylmf-pc", followed by a "AUTH LOGIN". Exim answers with "503 AUTH command used when not advertised" and then "421 squeeze.netwerk lost input connection"
I'd like to block this IP address but I can't figure out how...
(Action) is afk
marsje: its always the same ip address? you could use iptables or create an ACL statement "deny"ing this host at whatever step you want to (connection, AUTH, MAIL FROM, RCPT TO, &) in the smtp dialog. Look through the docs, there should be an ACL condition like "hosts" or so & Id use that to read a file with IPs, i.e. a local sender host address blacklist.
henk: yes, always the same address
henk: |I want to block it before AUTH because I'm afraid it is brute forcing passwords
henk: I tried your idea, but didn't get it to work... I'm not sure where to put in in my debian exim config
marsje: check /usr/share/doc/exim4-base/README.Debian.gz which explains how the config layout for exim works in debian
oh, it seems like the IP address has just stopped bothering me
maybe the abuse complaint helped?
henk: there are some hooks to block addresses at RCPT, but not at connect
anyway, maybe I better dive into fail2ban, as this will help block all kinds of annoying folks in different services
marsje: you could add an ACL for AUTH like this: acl_smtp_auth = acl_auth_blacklist and do stuff there & or on connect &
I tried something like that with acl_smtp_connect = something, but then it complained about cannot find something
need more detailed info to be able to help and i gotta go, bbl

I need to go too
thanks anyway!
« prev