Hello Exim likes,
There is one thing that has bothered me for long, whose solution I would
greatly appreciate.
I relay for several IP blocks on our network, so I have
hostlist relay_hosts = 127.0.0.1 : a.b.c.d/19 : e.f.g.h/25
I do not want, under any circumstances, to do recipient (not sender) address
verification when these hosts are submitting mail. I want my server to accept
the mail and then attempt to send it anyway and only generate error on failure.
This way, they can submit mail even when dns resolution is temporarily unavailable
(our uplinks go off here quite often).
The section of the configure file that I believe deals with this the ACL for
check_recipient, yes? Mine is a bit messy, to say the least. I would appreciate
if someone can bang my head with the clue stick as to what needs to be tuned
here:
# ACL that is used after the RCPT command
check_recipient:
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept domains = +local_domains
local_parts = postmaster
# This is to accept anything from localhost, and especially mailman which
# chokes badly if you refuse its mail
accept hosts = 127.0.0.1/8
# Do callout
deny message = Unroutable sender address
log_message = Unroutable sender address while callout verify
condition = ${lookup {$sender_address_domain} lsearch {/usr/local/etc/exim/calloutdomains}{yes}}
!verify = sender/callout=defer_ok,random,10s
# Deny unless the sender address can be verified.
#!!!require verify = sender
############################################################################
# DNS LISTS
#############################################################################
# DNS Black lists
deny message = host rejected because $sender_host_address is listed in $dnslist_domain
dnslists = spamhaus.relays.osirusoft.com : spamsites.relays.osirusoft.com : \
dialups.relays.osirusoft.com : spews.relays.osirusoft.com : \
socks.relays.osirusoft.com : opm.blitzed.org : sbl.spamhaus.org : hil.habeas.com
condition = ${lookup{$local_part}lsearch{/usr/local/etc/exim/spamcheck_users}{yes}{no}}
warn message = X-Warning: $sender_host_address is listed at $dnslist_domain
log_message = found in $dnslist_domain
dnslists = blacklist.spambag.org : orbs.dorkslayers.com : relays.visi.com
#######################################################################
# Ok, now that we have all the overrides, we can start the deny rules #
#######################################################################
deny !hosts = !62.8.64.4 : !212.49.74.4 : !127.0.0.1/32
message = "HELO/EHLO required by SMTP RFC"
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
deny message = Only one receipient accepted for NULL sender
senders = :
condition = ${if >{$rcpt_count}{1} {1}}
# characters not used by any local_parts here. To lock out local parts containig
# ! and starting with dot
deny local_parts = ^.*[@%!/|] : ^\\.
message = The "local part" portion of the recipient address \
contains invalid characters.
# If the envelope sender has an 8-bit character in it, reject
# all recipients -- only spammers do this, and it violates
# RFC 2821 to boot. (This doesn't block a lot of spam, but
# it doesn't seem to hurt.)
deny senders = \N[\x80-\xFF]\N
message = Illegal data.\n\
8-bit characters are not allowed in the envelope sender\n\
(see RFC 2821, section 4.1.2)
deny hosts = !62.8.64.4 : !212.49.74.4 : !127.0.0.1/32 : *
senders = postmaster@???: Mailer-Daemon@??? : \
admin@??? : sysadmin@??? : cs@??? : \
sales@??? : info@???
message = forged sender address. Invalid use of sender <$sender_address>
# We can also deny blocks with CIDR notation, and give them a message. This is better than the
# one above.
deny message = ${lookup {${mask:$sender_host_address/32}} lsearch {/usr/local/etc/exim/blocked.ip}}
hosts = net32-lsearch;/usr/local/etc/exim/blocked.ip
deny message = ${lookup {${mask:$sender_host_address/24}} lsearch {/usr/local/etc/exim/blocked.ip}}
hosts = net24-lsearch;/usr/local/etc/exim/blocked.ip
deny message = ${lookup {${mask:$sender_host_address/16}} lsearch {/usr/local/etc/exim/blocked.ip}}
hosts = net16-lsearch;/usr/local/etc/exim/blocked.ip
deny message = ${lookup {$sender_host_address} lsearch {/usr/local/etc/exim/blocked.ip}}
hosts = net-lsearch;/usr/local/etc/exim/blocked.ip
# Those senders that we'd rather live without - these two rules are global
# For subdomains, like *.freelotto.com
deny senders = *@partial-lsearch;/usr/local/etc/exim/badsenders : lsearch;/usr/local/etc/exim/badsenders
require verify = sender
deny senders = *@partial-lsearch;/usr/local/etc/exim/bouncelist
require verify = sender
# For domains, e.g freelotto.com
deny message = We think you are a spammer; if this is wrong, and you feel aggrieved, please do contact abuse@???
senders = ${if exists{/usr/local/etc/exim/bouncelist} {lsearch*@;/usr/local/etc/exim/bouncelist}}
# For user@domain
deny message = We think you are a spammer; if this is wrong, please do contact abuse@???
senders = ${if exists{/usr/local/etc/exim/bouncelist} {lsearch;/usr/local/etc/exim/bouncelist}}
deny senders = @@partial-lsearch;/usr/local/etc/exim/blocked.senders
message = Administrative Prohibition - No Spam Allowed.
#
# Below are user-defined personal blaclkists
# Those domains who our clients don't like i.e. *.some.domain
deny message = user $local_part doesn't like you; just go away or if aggrieved, contact postmaster@???
senders = ${if exists{/home/$local_part/.bouncelist} {*@partial-lsearch;/home/$local_part/.bouncelist}}
# Those individual addresses our clients don't like i.e user@domain
deny message = user $local_part doesn't like you; just go away or if aggrieved, contact postmaster@???
senders = ${if exists{/home/$local_part/.bouncelist} {lsearch;/home/$local_part/.bouncelist}}
# sent to domains that we are or relay for
accept domains = +local_domains : +relay_domains
# skip if the above fails, reject if the below fails
# endpass
# verify = recipient
# message = NO_SUCH_USER
#message = The user "$local_part" doesn't exist on this system.\n\
# Verify that you have correctly specified the address.\n\
# Contact the postmaster if you feel this in error.
# sent by a host we relay for
accept hosts = +relay_hosts
# verify = recipient
# message = NO_SUCH_USER
# check authentication for hosts
accept hosts = +auth_relay_hosts
# this means skip the test if the above fails, and reject if the
# below fails
endpass
authenticated = *
message = Authentication is required to send mail from \
your computer at this time.\n\
Contact the postmaster if you require \
assistance with this.
# verify that mail addressed to the sender address can be routed
#require verify = sender
# message = The address you are sending from can't have mail delivered to it.
deny message = This site does not permit unauthorized relaying of email.
# -- end acl_check_recipient
-Wash
--
Odhiambo Washington <wash@???> "The box said 'Requires
Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,'
Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD."
GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-)
"I'm fed up to the ears with old men dreaming up wars for young men to
die in."
-- George McGovern
