Re: [Exim] Per-user dnslist exceptions

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: Jason L Tibbitts III
CC: exim-users
Subject: Re: [Exim] Per-user dnslist exceptions
On Mon, May 06, 2002 at 03:08:55PM -0500, Jason L Tibbitts III wrote:
> I'm getting used to Exim 4.04 and am using the following bits in
> acl_check_rcpt to use DNS-based blocking lists:
>
>   deny    message       = rejected because $sender_host_address is in a block list at $dnslist_domain\n$dnslist_text
>           dnslists      = relays.osirusoft.com : bl.spamcop.net


If I may, you should not do this.
I can show you enough false positives on relays.osirusoft.com, and even more
on bl.spamcop.net (for which you're told not to use it as a DNS reject BL)
I think the only solution is to use these blacklists in conjunction with
spamassassin, where you need several factors all at the same time for the
mail to be blocked.

In the case of bl.spamcop.net
1) I can get you listed there in no time, I can fake spams and report them
to spamcop
2) I've had innocent machines blacklisted at spamcop.net because of stupid
users who can't understand headers and why it's ok for a mailing list to
be in the received headers.

>           !hosts        = net-lsearch;/etc/exim/whitelist_ips
>           !hosts        = lsearch;/etc/exim/whitelist_hosts
>           !local_parts  = lsearch;/etc/exim/no_blocklist_users

>
>   warn    message       = X-Warning: $sender_host_address is in a block list at $dnslist_domain
>           log_message   = found in $dnslist_domain
>           dnslists      = relays.osirusoft.com

>
>   warn    message       = X-Warning: $sender_host_address is in a block list at $dnslist_domain
>           log_message   = found in $dnslist_domain
>           dnslists      = bl.spamcop.net

>
>
> First off, are the '!' marks in the first stanza in the right place?


Yep, it looks good, that's what I do too.

> Is there any way to avoid having to do the two !hosts lookups, one
> net-lsearch for IP addresses and one lsearch for the domain name?


I don't think it's a problem, you're looking for different things in
different files. If one matches, exim stops right there.

> Is it necessary to use multiple warn stanzas to get a separate
> X-Warning: header for each blocklist? It appears that the hosts in


I think so yes.

> dnslists are checked in order and the test short-circuits. Is there
> any downside to doing it this way (other than a few additional lookups
> that would have otherwise short-circuited)?


Again, running spamassassin instead would solve this problem.

> Any idea how I would go about having per-user lists of whitelisted
> hosts? I played with various ways to get $local_part into the
> filename of an lsearch but I just didn't make any progress. Or is it



Doesn't
!hosts        = lsearch;/home/{local_part}/whitelist_hosts
work?


If not, you should be able to use "condition" to do what you want.

> better to do this in the user's filter? (I want to be able to bounce
> the message instead of dropping it on the floor, and I don't yet know
> enough about filters to know if I can do that or not.)


Once you hit system_filter, it's too late, you've accepted the mail, so you
then have to trust the return address if you want to bounce the mail.

You can do this in local_scan. I think you can trivially modify my
SpamAssassin in local_scan code to run SpamAssassin with a user preference
file for each RCPT TO, however if you have multiple receipients, then things
get sticky because you'd have to refuse the mail for some, and accept it for
others, and you have to decide whether you're returning 2xx or 5xx
http://marc.merlins.org/linux/exim/sa.html

Marc
--
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key