On Fri, 27 Sep 2002, Vincent Sweeney wrote:
> > James P. Roberts wrote:
> >
> > Right. Anyone could try making me their MX, but it won't work unless I host their domain. That is, if they aren't specifically
> > listed in an appropriate ACL, Exim rejects any such mail, so it does them no good. In fact, it would be less effective as a DoS
> > attack than sending mail directly to my real address(es), because it would be bounced at SMTP time, instead of cluttering up my
> > inbox(es).
> >
> > I think, so long as you write the ACL much like the local_domains-related ACL, (i.e. reject mail to any domain you are not accepting
> > responsibility for as a secondary), you should not have a problem.
> >
> > Jim Roberts
> > Punster Productions, Inc.
>
> Well actually it *would* be in an ACL since the mail will be currently
> accepted by the rule thats says "accept any mail I'm primary or backup
> for" ie @mx_all. I was looking to have more control by having seperate
> ACL's for @mx_primary and @mx_secondary but since it does not look like
> I can lock down the destination host to an ip range I will have to
> continue accepting mail for any domain that puts my server(s) in their
> MX records.
>
> Yes this may not be a serious abuse, DoS or whatever you want to call it
> but it's definetely a "feature" I'd like to disable!
You can use dnslookups in the ACLs, and say:
"accept if I m the MX, and the NS record is (one of your own DNS
servers)"..
This way only domains *you* are the DNS for are accepted. You can of
course also list other trusted nameservers as well if you want.
>
> Vince.
>
>
> >
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
