[Exim] Address (recipient) verification

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Odhiambo G. Washington
Date:  
À: exim-users
Sujet: [Exim] Address (recipient) verification
Hello Exim likes,


There is one thing that has bothered me for long, whose solution I would
greatly appreciate.

I relay for several IP blocks on our network, so I have

hostlist relay_hosts = 127.0.0.1 : a.b.c.d/19 : e.f.g.h/25

I do not want, under any circumstances, to do recipient (not sender) address
verification when these hosts are submitting mail. I want my server to accept
the mail and then attempt to send it anyway and only generate error on failure.
This way, they can submit mail even when dns resolution is temporarily unavailable
(our uplinks go off here quite often).

The section of the configure file that I believe deals with this the ACL for
check_recipient, yes? Mine is a bit messy, to say the least. I would appreciate
if someone can bang my head with the clue stick as to what needs to be tuned
here:



# ACL that is used after the RCPT command

check_recipient:
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.

accept hosts = :

# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

  accept  domains     = +local_domains
          local_parts = postmaster


# This is to accept anything from localhost, and especially mailman which
# chokes badly if you refuse its mail

accept hosts = 127.0.0.1/8

# Do callout

  deny    message     = Unroutable sender address
          log_message = Unroutable sender address while callout verify
          condition   = ${lookup {$sender_address_domain} lsearch {/usr/local/etc/exim/calloutdomains}{yes}}
          !verify     = sender/callout=defer_ok,random,10s



# Deny unless the sender address can be verified.

#!!!require verify = sender

  ############################################################################
  #         DNS LISTS
  #############################################################################



# DNS Black lists

 deny    message      = host rejected because $sender_host_address is listed in $dnslist_domain
         dnslists     = spamhaus.relays.osirusoft.com : spamsites.relays.osirusoft.com : \
                        dialups.relays.osirusoft.com : spews.relays.osirusoft.com : \
                        socks.relays.osirusoft.com : opm.blitzed.org : sbl.spamhaus.org : hil.habeas.com
          condition   = ${lookup{$local_part}lsearch{/usr/local/etc/exim/spamcheck_users}{yes}{no}}


  warn  message       = X-Warning: $sender_host_address is listed at $dnslist_domain
        log_message   = found in $dnslist_domain
        dnslists      = blacklist.spambag.org : orbs.dorkslayers.com : relays.visi.com



#######################################################################
# Ok, now that we have all the overrides, we can start the deny rules #
#######################################################################


  deny !hosts        = !62.8.64.4 : !212.49.74.4 : !127.0.0.1/32
       message       = "HELO/EHLO required by SMTP RFC"
       condition     = ${if eq{$sender_helo_name}{}{yes}{no}}



  deny  message      = Only one receipient accepted for NULL sender
    senders      = :
    condition    = ${if >{$rcpt_count}{1} {1}}



# characters not used by any local_parts here. To lock out local parts containig
# ! and starting with dot

  deny  local_parts  = ^.*[@%!/|] : ^\\.
        message      = The "local part" portion of the recipient address \
                         contains invalid characters.


# If the envelope sender has an 8-bit character in it, reject
# all recipients -- only spammers do this, and it violates
# RFC 2821 to boot. (This doesn't block a lot of spam, but
# it doesn't seem to hurt.)

  deny  senders      = \N[\x80-\xFF]\N
        message      = Illegal data.\n\
                       8-bit characters are not allowed in the envelope sender\n\
                       (see RFC 2821, section 4.1.2)




    deny    hosts   = !62.8.64.4 : !212.49.74.4 : !127.0.0.1/32 : *
            senders = postmaster@???: Mailer-Daemon@??? : \
                      admin@??? : sysadmin@??? : cs@??? : \
                      sales@??? : info@???
            message = forged sender address. Invalid use of sender <$sender_address>




# We can also deny blocks with CIDR notation, and give them a message. This is better than the
# one above.

  deny  message         = ${lookup {${mask:$sender_host_address/32}} lsearch {/usr/local/etc/exim/blocked.ip}}
        hosts           = net32-lsearch;/usr/local/etc/exim/blocked.ip


  deny  message         = ${lookup {${mask:$sender_host_address/24}} lsearch {/usr/local/etc/exim/blocked.ip}}
        hosts           = net24-lsearch;/usr/local/etc/exim/blocked.ip


  deny  message         = ${lookup {${mask:$sender_host_address/16}} lsearch {/usr/local/etc/exim/blocked.ip}}
        hosts           = net16-lsearch;/usr/local/etc/exim/blocked.ip


  deny message        = ${lookup {$sender_host_address} lsearch {/usr/local/etc/exim/blocked.ip}}
       hosts        = net-lsearch;/usr/local/etc/exim/blocked.ip




# Those senders that we'd rather live without - these two rules are global

# For subdomains, like *.freelotto.com

   deny    senders = *@partial-lsearch;/usr/local/etc/exim/badsenders : lsearch;/usr/local/etc/exim/badsenders
   require verify  = sender


   deny    senders = *@partial-lsearch;/usr/local/etc/exim/bouncelist
   require  verify = sender



  # For domains, e.g freelotto.com
   deny    message =  We think you are a spammer; if this is wrong, and you feel aggrieved, please do contact abuse@???
           senders = ${if exists{/usr/local/etc/exim/bouncelist} {lsearch*@;/usr/local/etc/exim/bouncelist}}


# For user@domain

   deny    message =  We think you are a spammer; if this is wrong, please do contact abuse@???
           senders = ${if exists{/usr/local/etc/exim/bouncelist} {lsearch;/usr/local/etc/exim/bouncelist}}


   deny    senders = @@partial-lsearch;/usr/local/etc/exim/blocked.senders
           message = Administrative Prohibition - No Spam Allowed.


#

# Below are user-defined personal blaclkists

  # Those domains who our clients don't like i.e. *.some.domain
  deny    message = user $local_part doesn't like you; just go away or if aggrieved, contact postmaster@???
          senders = ${if exists{/home/$local_part/.bouncelist} {*@partial-lsearch;/home/$local_part/.bouncelist}}


  # Those individual addresses our clients don't like i.e user@domain
  deny    message = user $local_part doesn't like you; just go away or if aggrieved, contact postmaster@???
          senders = ${if exists{/home/$local_part/.bouncelist} {lsearch;/home/$local_part/.bouncelist}}



  # sent to domains that we are or relay for
  accept  domains = +local_domains : +relay_domains
          # skip if the above fails, reject if the below fails
#          endpass
#          verify  = recipient
#          message = NO_SUCH_USER
          #message = The user "$local_part" doesn't exist on this system.\n\
          #          Verify that you have correctly specified the address.\n\
          #          Contact the postmaster if you feel this in error.


  # sent by a host we relay for
  accept  hosts = +relay_hosts
#         verify  = recipient
#         message = NO_SUCH_USER


  # check authentication for hosts
  accept  hosts = +auth_relay_hosts
          # this means skip the test if the above fails, and reject if the
          # below fails
          endpass
          authenticated = *
          message       = Authentication is required to send mail from \
                          your computer at this time.\n\
                          Contact the postmaster if you require \
                          assistance with this.


  # verify that mail addressed to the sender address can be routed
  #require verify  = sender
  #        message = The address you are sending from can't have mail delivered to it.



   deny    message = This site does not permit unauthorized relaying of email.


# -- end acl_check_recipient





-Wash

--
Odhiambo Washington   <wash@???>  "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com      Windows 95, NT, or better,'
Tel: +254 2 313985-9  +254 2 313922         so I installed FreeBSD."
GSM: +254 72 743223   +254 733 744121       This sig is McQ!  :-)



"I'm fed up to the ears with old men dreaming up wars for young men to
die in."
        -- George McGovern