Eric Renfro wrote:
> --
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey, I'm wondering how I could get Exim4 to, by default, not allow
> non-reversable DNS entries, and also no MX entries in DNS, for all
> SMTP<->SMTP traffic, except authenticated users.
>
> After weeks of looking at why spam is marked as spam, I've pretty much figured
> that pretty much all that spam comes from non-reversable IP addresses.
>
> I'm pretty much using the default exim 4.0x ACL ruleset, but I'd rather have a
> good understanding of how to implement this additional rule, before testing
> it out live with possible failures.
1.) Very simple approach, just add
host_reject_connection = +include_unknown
to your exim configuration, but be careful, the documantation says:
<quote>
If this option is set, incoming SMTP calls from the hosts listed are
rejected as soon as the connection is made. This option is provided for
use in unusual cases. Many host will just try again. Normally, it is
better to use an ACL to reject incoming messages at a later stage, such
as after RCPT commands. See chapter 37.
</quote>
2.) the ACL way, exim provides us with
<quote>
$host_lookup_failed: This variable contains ``1'' if the message came
from a remote host and there was an attempt to look up the host's name
from its IP address, but the attempt failed. Otherwise the value of the
variable is ``0''.
</quote>
you could use this variable in an ACL (rcpt_acl) like this
deny message = Sorry, your IP could not be looked up
condition = $host_lookup_failed
The problem with this one is that it will permanent reject when you have
DNS-Problems.
3.) A verify only router would be better, as it just rejects temporary
verify_ip_lookup:
driver = redirect
condition = $host_lookup_failed
allow_defer
data = :defer: Sorry, your IP could not be looked up
verify_only
You need to enable sender or receiver verification to make this work.
But i don't know if this is a good idea at all, there are many broken
mailers out in the internet.
ciao