Re: [Exim] Dealiang with broken MTAs

Pàgina inicial
Delete this message
Reply to this message
Autor: Andreas J Mueller
Data:  
A: Fernando Sanchez
CC: exim-users
Assumptes nous: Re: [Exim] Dealing with broken MTAs
Assumpte: Re: [Exim] Dealiang with broken MTAs
Hi Fernando!

> Going to the point of my post, have anyone who have used sender
> callout had this kind of problems?


Yes, in almost all of these cases it has been Ipswitch IMail that
gives a "501 bogus mail from" reply to empty senders. But it seems
to be configurable, at least *some* of the affected domains have
managed to make their mailhosts more compliant.

> How can you deal with them?


Tell them to fix their configuration. A good reason to do this is the
fact that otherwise they will be unable to find out whether their
emails are actually reaching the intended recipients. No error
messages, no clue. ;-)

If that doesn't help, disable callouts for their domains. Yes, it
makes you more vulnerable, but unless some spammer actually *uses*
these domain names in forged addresses, you'll be ok. Below is a
sample router you can use to disable callouts to certain domains (I
use it in my smart routes, because it is pointless to do callouts
against smart hosts, unless they are actually using callforwards for
recipient verification):

smart_verify:
driver = accept
domains = partial-lsearch*;/etc/exim/smart_routes
verify_only

> are there any other options I can use to filter invalid mails?


You could keep a list of bad patterns that some spamware uses to forge
addresses, and reject or defer mail based on that, e.g.,
"^offer..@aol.com$". *If* you have time to maintain this list. Or use
graylisting against a few domains that do not work well with callouts
(yahoo.*, aol.com, lycos.*, tripod.*, ...).

Andy