Re: [Exim] Whitelisting RBL positives

Top Page
Delete this message
Reply to this message
Author: Kevin Smith
Date:  
To: exim-users
Subject: Re: [Exim] Whitelisting RBL positives
** Warning ** New poster alert :)

Richard Welty <rwelty@???> wrote:
> On Sat, 19 Jul 2003 21:43:40 -0500 Jerry Jorgenson <jerry@???> wrote:
>
> > Folks,
> >
> > I have some incoming domains that I need to let through even though they
> > are in RBL lists. While I can allow them in by:
> >
> >   accept  hosts         = /etc/mail/allow_access_list
> >   deny    dnslists      = relays.ordb.org : sbl.spamhaus.org

> >
> > This lets them through, but has the unfortunate effect of making an open
> > relay for every host listed in /etc/mail/allow_access_list,
>
> accept hosts = /etc/mail/allow_access_list
>        domains = +local_domains


Hmmm... I like this one (over excluding from the RBL) since I also
have a blacklist. On seeing this thread, I realized I was doing the
same thing (allowing relaying from whitlisted hosts). I've modified
my config along the above lines.

Processing goes...

Accept verified names from whitlisted hosts to local domains
Deny mail from blacklisted hosts
Deny mail from RBL's hosts
... then default stuff, accept to local, accept relay, deny all else

Rules look like...

  #
  # Accept mail from whitlisted hosts to known users in the local domains
  #
  accept hosts =        /usr/local/exim/whitelist, \
                        /usr/local/exim/whitelist.listmgr
         domains =      +local_domains
         endpass
         message       = unknown user
         verify        = recipient


  #
  # Reject any mail from blacklisted hosts
  #
  deny   hosts =        /usr/local/exim/blacklist
         message =      Rejected
         log_message =  Rejected [BLACKLIST] $sender_host_name $sender_host_address


  #
  # Check source domain againsts various RBLs
  #
  deny  message         = rejected by $dnslist_domain
        log_message     = Rejected [$dnslist_domain] $sender_host_address\n$dnslist_text
        dnslists        = +exclude_unknown : \
                          relays.ordb.org : \
                          relays.osirusoft.com


This maintains the my logical hierarchy where whitelist trumps blacklist
and RBL without having to exclude whitelist hosts from both the blacklist
check and the RBL check.

--
Do two rights make | Kevin Smith, ShadeTree Software, Philadelphia, PA, USA
a libertarian      | 001-215-487-3811  shady,com,kevin