Re: [Exim] Question about rbl and host_accept_relay handling

Top Page
Delete this message
Reply to this message
Author: ml
Date:  
To: exim-users
CC: Bjoern Metzdorf
Subject: Re: [Exim] Question about rbl and host_accept_relay handling
At 23:52 27/09/01 +0200, you wrote:
>Hi there,
>
>today we got hit by a spam attack, which to my surprise was successfull.
>
>Our config looked like this:
>

...
.
>1. I'm getting lots of "refused relay (host) to <my.address> (failed to find
>host name from IP address)", although my.address is a valid local address.
>This is due to removal of +warn_unknown, ok. But if I enable +warn_unknown,
>then everybody without reverse dns is able to use us as an open relay,
>because then they are valid for host_accept_relay, is this right? How can I
>configure Exim to accept mail to local domains even from unresolvable hosts?
>How can I see if a host was rejected because of no reverse lookup or not
>listed in host_accept_relay (error message seems to be the same)?
>


o. As far as I know, 
        local mail distribution doesn't need relaying !


        So you can continue to happily receive local mail even if 
                no host is allowed to relay.


Don't confuse INPUT and FORWARD (simi with network vocabulary).


For relaying (or FORWARDING), rules are :

        apply reject (not only warn) for any source host that is
                in relays list (RBL) and warn for DUL.
                RBL lists are not always correctly filled but 
                this is a "enforced" rule.


        use host_accept_relay ONLY with source IP you trust.
                avoid to list any domain or host name
                you don't personaly manage as a master nameserver.


        if your mail server is a relay for your customers or partners 


                you can use sender_host_relay but that's a good way
                to be spammed.


                it's far better using authenticated mail.



Everything else is forbidden to relay.



In conclusion, something like this :
        host_accept_relay = /etc/exim/access
        host_auth_accept_relay = *


        #One or the other
        relay_match_host_or_sender = true
        sender_address_relay = /etc/exim/sender_address_relay


These directives manage FORWARDING.

File access lists all IP addresses (or domains resolved to IP maps)
allowed to relay.
File sender_address_relay lists all mail domain or individual mail addresses
allowed to relay.

In any case, RBL always apply first except if you have /skiprelay argument.







o. It's also possible to forbid local mail if PTR doesn't exist for source IP.
That would be a good thing but there are so many IP addresses that lack PTR
record that, in this case, a lot of mails will be refused.
Not convenient for your customers.
That is the goal of host_reject or, better, host_reject_recipients.

These directives manage INPUT.

If you want to allow INPUT of mail which source IP is without PTR record you
can chose

        host_reject_recipients = +allow_unknown





o. Finally, don't allow 127.0.0.1 to relay.
As far as I know, there is no need of that to output a mail.



My 2ct.


db



>2. As many of german dialup IPs are listed in orbs, I cannot use rbl reject.
>Does Exim allow those hosts to use us as a relay if
> a) they are listed in rbl and i use rbl reject
>and
> b) they are listed in host_accept_relay


Don't use orbs anymore, but rss and osirusoft.com.

db