Re: [Exim] RBL Configuration w/ Base Exim Config

Góra strony
Delete this message
Reply to this message
Autor: Richard Welty
Data:  
Dla: exim-users
Temat: Re: [Exim] RBL Configuration w/ Base Exim Config
On Fri, 07 Feb 2003 18:33:27 -0500 Mail List <maillist@???> wrote:
> Yeah, I want to start by using relays.ordb.org -and in the coming weeks
> possibly subscribe to spam cop


be aware that bl.spamcop.org is _extremely_ agressive and has a significant
false positive rate. this doesn't bother some people, but it's why i don't
use it and why i recommend against using it to the clients of my consulting
business.

> or some of the others that you mentioned
> after I do a little more research. I like the idea of using spamhaus.org
> from what I've read about their service (so far)


Steve Linford runs a very tight ship at spamhaus. i can't recall any
erroneous listings, although i suppose they do happen from time to time.

> I was unfamiliar with opm.blitzed.org -thanks for the
> info..!


John Payne does a good job with this one, and the false positive rate is
essentially nonexistant, as open proxies are almost never boxes you could
receive legitimate email from.

> So does the location of the "deny dnslists = relays.ordb.org" directive
> matter in the ACL part of the config? I'm guessing it should be towards
> the
> top..<?>


well, they're evaluated in order from the top down. i generally try and set
them up so that whitelists go right at the top, then other tests according
to various criteria. you're trading off lookup time here.

also, run a caching DNS server on the mail server or near by, so that all
dns lookups (whether for outbound mail targets or for DNSBLs) get cached.
by near by, i mean in terms of net topology -- on the same LAN segment, for
example.

> Does this look correct?
>
> Thanks again for your help and suggestions, I appreciate your time and
> assistance.
>
> ######################################################################
> #                       ACL CONFIGURATION                            #
> #         Specifies access control lists for incoming SMTP mail      #
> ######################################################################

>
> begin acl
>
> check_recipient:
>    accept  hosts = :


i think you want
     accept hosts = localhost:localhost.localdomain
or
     accept hosts = 127.0.0.1


here. i also recommend putting this

     accept  local_parts = postmaster
            domains = +local_domains


at the start. unfortunately, it means postmaster may (probably will) get
spam, but it's important to keep postmaster open for communications
purposes. treat it as the inevitable cost of running a mail server
responsibly.

>    deny    local_parts    = ^.*[@%!/|]

>
>    deny    message = host is listed in $dnslist_domain
>            dnslists = relays.ordb.org

>
>    deny    senders        = *@partial-dbm;/etc/exim/access.db : \
>                            dbm;/etc/exim/access.db



>    require verify         = sender


this works fairly well:

     require verify         = sender/callout


although you will want to monitor your rejectlogs as there will be some
needed whitelisting. in particular, there are some morons who refuse to
accept all error messages in the name of spam prevention, and
sender/callout simulates an error return to see if the MAIL FROM: is valid.

richard
--
Richard Welty                                         rwelty@???
Averill Park Networking                                         518-573-7592
              Unix, Linux, IP Network Engineering, Security