Re: [Exim] Exim 3.36 and RBL

Top Page
Delete this message
Reply to this message
Author: Tabor J. Wells
Date:  
To: Exim List Account
CC: exim-users
Subject: Re: [Exim] Exim 3.36 and RBL
On Mon, Dec 09, 2002 at 07:33:47PM -0500,
Exim List Account <exim@???> is thought to have said:

> "`/accept' allows RBL-type lookups to be used for `white lists' as well as
> black lists. The message is accepted from a host that matches an `/accept'
> item, and no further RBL domains are considered. Earlier `/warn' entries may
> have already added warning headers."
> (http://www.exim.org/exim-html-3.30/doc/html/spec.html from section 46.1)
>
> The way we interpret that, it passes the mail through to the user even if
> the host is listed in one of the other lists. This may be an error in
> iterpretation on our part, but it seems reasonable to believe that there is
> an inherent whitelisting function available, even for the negation generally
> used in rbl_hosts.
>
> Unfortunately, since the action appears to be inconsistent under v3.x, and
> since the handful of whitelistings we were doing were for SPEWS-listed
> sites, we've had to dump SPEWS from the filtering for the time being until
> we can move all the boxes to v4 and use the better controls that seem to be
> available (from what I've read thus far, there's more granularity under v4
> than for v3, and we can return to using SPEWS at that time). Such is life.


You've misinterpretted the purpose of /accept. That is if you had a dnsbl
that contained only addresses which you wished to explicitly accept mail
from you would use whitelist.example.com/accept in your rbl_domains.
So if a lookup for the IP 1.2.3.4 matched 4.3.2.1.whitelist.example.com
then no further rbl_domains would be considered even if it matched in spews,
etc.

The option you want is rbl_hosts, in particular if you want to exclude
hosts from dnsbl lookups, then you'd do something like:

rbl_hosts = "! 1.2.3.4/32 : ! 5.6.7.0/24 : \
             ! net32-dbm;/etc/exim/db/whitelist.db : 0.0.0.0/0"


Or if you wanted to actually set up your own whitelist dnsbl zone, you could
use /accept

--
--------------------------------------------------------------------
Tabor J. Wells                                     twells@???
Fsck It!                 Just another victim of the ambient morality