Re: [EXIM] rejections via mx

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMKevin P. Fleming at <-
 
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Rob Lingelbach
CC: exim-users
Subject: Re: [EXIM] rejections via mx
On Fri, 20 Mar 1998, Rob Lingelbach wrote:

> I have the usual antispam measures on exim-1.82. I control one of my
> MX's but one I don't, and the one I don't has been trying to deliver
> the same message for two days now, with hundreds of the following
> filling up the exim_mainlog:
>
> 1998-03-20 15:58:05 0yGBfh-0003yh-00 rejected from mail.crl.com
> [165.113.1.22]: can't currently verify any sender in message headers
> (please try again later): return path is <85047904@???>
>
> I suppose to stop the log entry I can turn off
> headers_sender_verify_errmsg, but the retries are certainly wasting
> resources.. is there a better way to handle this?

CyberPublications.Com is one of the apparently increasing number of
domains which give SERVFAIL when you attempt to look up an MX record for
them: 

; <<>> DiG 2.1 <<>> CyberPublications.Com. mx 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6
;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 0, Addit: 0
;; QUESTIONS:
;;      CyberPublications.Com, type = MX, class = IN


;; Total query time: 375 msec
;; FROM: taurus.cus.cam.ac.uk to SERVER: default -- 131.111.4.6
;; WHEN: Mon Mar 23 09:38:54 1998
;; MSG SIZE sent: 39 rcvd: 39

The normal resolver routines pass back a temporary error code on getting
SERVFAIL. I recently looked at this, and found that you cannot
distinguish between SERVFAIL and timeout at the level Exim is coded - in
both cases the return code is DNS_AGAIN. So Exim has to behave as it
does.

However, in the next release there is a new option called
dns_again_means_nonexist which can be set to a list of domains. If any
of them is looked up and gets DNS_AGAIN, Exim behaves as if it did not
exist. Of course this is highly dangerous - DNS timeouts are something
that do happen, but for some domains (especially those with names that
suggest they could be sources of UCE) it might be helpful. 

-- 
Philip Hazel                   University Computing Service,
ph10@???             New Museums Site, Cambridge CB2 3QG,
P.Hazel@???          England.  Phone: +44 1223 334714



--
*** Exim information can be found at http://www.exim.org/ ***


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [EXIM] Spool directory on NFS ?Re: [EXIM] exim receives mail but fails to route to proper local mailbox->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)