On Fri, 07 Feb 2003 18:33:27 -0500 Mail List <maillist@???> wrote:
> Yeah, I want to start by using relays.ordb.org -and in the coming weeks
> possibly subscribe to spam cop
be aware that bl.spamcop.org is _extremely_ agressive and has a significant
false positive rate. this doesn't bother some people, but it's why i don't
use it and why i recommend against using it to the clients of my consulting
business.
> or some of the others that you mentioned
> after I do a little more research. I like the idea of using spamhaus.org
> from what I've read about their service (so far)
Steve Linford runs a very tight ship at spamhaus. i can't recall any
erroneous listings, although i suppose they do happen from time to time.
> I was unfamiliar with opm.blitzed.org -thanks for the
> info..!
John Payne does a good job with this one, and the false positive rate is
essentially nonexistant, as open proxies are almost never boxes you could
receive legitimate email from.
> So does the location of the "deny dnslists = relays.ordb.org" directive
> matter in the ACL part of the config? I'm guessing it should be towards
> the
> top..<?>
well, they're evaluated in order from the top down. i generally try and set
them up so that whitelists go right at the top, then other tests according
to various criteria. you're trading off lookup time here.
also, run a caching DNS server on the mail server or near by, so that all
dns lookups (whether for outbound mail targets or for DNSBLs) get cached.
by near by, i mean in terms of net topology -- on the same LAN segment, for
example.
> Does this look correct?
>
> Thanks again for your help and suggestions, I appreciate your time and
> assistance.
>
> ######################################################################
> # ACL CONFIGURATION #
> # Specifies access control lists for incoming SMTP mail #
> ######################################################################
>
> begin acl
>
> check_recipient:
> accept hosts = :
i think you want
accept hosts = localhost:localhost.localdomain
or
accept hosts = 127.0.0.1
here. i also recommend putting this
accept local_parts = postmaster
domains = +local_domains
at the start. unfortunately, it means postmaster may (probably will) get
spam, but it's important to keep postmaster open for communications
purposes. treat it as the inevitable cost of running a mail server
responsibly.
> deny local_parts = ^.*[@%!/|]
>
> deny message = host is listed in $dnslist_domain
> dnslists = relays.ordb.org
>
> deny senders = *@partial-dbm;/etc/exim/access.db : \
> dbm;/etc/exim/access.db
> require verify = sender
this works fairly well:
require verify = sender/callout
although you will want to monitor your rejectlogs as there will be some
needed whitelisting. in particular, there are some morons who refuse to
accept all error messages in the name of spam prevention, and
sender/callout simulates an error return to see if the MAIL FROM: is valid.
richard
--
Richard Welty rwelty@???
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security
