> for some time, i've been mechanically doing all of my acl stuff in the
> recipients check, based on conventional wisdom that 5xx gets listened to
> best after RCPT TO:
I've heard this as well. If there is a host that bangs on my server, I drop
their IP into my firewall.
> i've reconsidered that, based on recent/current events. i've now got the
> following attached to the helo acl, i strongly recommend it:
>
> check_helo:
> drop message = HELO/EHLO must contain a Fully Qualified Domain Name
> hosts = !+relay_hosts
> condition = ${if match {$sender_helo_name}{\N^[^.].*\.[^.]+$\N}{no}{yes}}
Good.
> drop condition = ${if eq{$sender_ident}{squid}{yes}{no}}
> message = we do not accept mail from squid proxies
> drop condition = ${if eq{$sender_ident}{CacheFlow Server}{yes}{no}}
> message = we do not accept mail from CacheFlow Servers
I'd prefer to put ones like this into the connect acl.
You can merge them by:
condition = ${if match{$sender_ident}{squid|CacheFlow Server}{yes}{no}}
and message = we do not accept mail from open proxies
> drop message = host is listed in $dnslist_domain
> dnslists = cbl.abuseat.org : \
> opm.blitzed.org
I'd prefer this in the connect acl also.
> accept
>
> the logic being that these callers are by and large things that aren't
> going to take 5xx for an answer, so why wait? in particular, right this
> instant we're all being pounded by Sobig and this should clear out those
> connections quicker.
Might not be a bad idea to temporarily firewall out anyone who HELOs with a
name that doesn't have a dot (only due to sobig). I've seen tons of
connections from the same host sending sobig
> i'm sure many are doing this already, but i suspect others might appreciate
> the tip.
I may post my ACLs somewhere. At work, my entire ACL config (one ruleset
may actually take a page because of my formatting) is 900-1000 lines
(including comments) and relies heavily on sql.
--
Lab tests show that use of micro$oft causes cancer in lab animals
