Re: [Exim] exim + smtp reverse dns

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Eric Renfro
CC: exim-users
Subject: Re: [Exim] exim + smtp reverse dns
Eric Renfro wrote:
> --
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey, I'm wondering how I could get Exim4 to, by default, not allow
> non-reversable DNS entries, and also no MX entries in DNS, for all
> SMTP<->SMTP traffic, except authenticated users.
>
> After weeks of looking at why spam is marked as spam, I've pretty much figured
> that pretty much all that spam comes from non-reversable IP addresses.
>
> I'm pretty much using the default exim 4.0x ACL ruleset, but I'd rather have a
> good understanding of how to implement this additional rule, before testing
> it out live with possible failures.


1.) Very simple approach, just add
host_reject_connection = +include_unknown
to your exim configuration, but be careful, the documantation says:
<quote>
If this option is set, incoming SMTP calls from the hosts listed are
rejected as soon as the connection is made. This option is provided for
use in unusual cases. Many host will just try again. Normally, it is
better to use an ACL to reject incoming messages at a later stage, such
as after RCPT commands. See chapter 37.
</quote>

2.) the ACL way, exim provides us with
<quote>
$host_lookup_failed: This variable contains ``1'' if the message came
from a remote host and there was an attempt to look up the host's name
from its IP address, but the attempt failed. Otherwise the value of the
variable is ``0''.
</quote>
you could use this variable in an ACL (rcpt_acl) like this

deny message = Sorry, your IP could not be looked up
      condition = $host_lookup_failed


The problem with this one is that it will permanent reject when you have
DNS-Problems.


3.) A verify only router would be better, as it just rejects temporary

verify_ip_lookup:
driver = redirect
condition = $host_lookup_failed
allow_defer
data = :defer: Sorry, your IP could not be looked up
verify_only

You need to enable sender or receiver verification to make this work.


But i don't know if this is a good idea at all, there are many broken
mailers out in the internet.


ciao