I know patrick won't see this, but since he seems to fail to understand
what I'm getting at, and calls me arrogant, clue-resistant seems the only
appropriate description.
On Sun, Sep 21, 2003 at 10:54:10AM +0000, Patrick Starrenburg wrote:
> When the mail comes to me it is going to come from this "trusted" (! well
> I sure don't trust it) corporate server (inside our global corporate WAN
> with reserved address range address 10.xx.xx.xx). I can't apply DNSBLs in
> Exim ACLs to it directly obviously. So I want to 'strip off' the last
> "Received:" server in the message and then apply the DNSBL lookup to the
> server immediately *before* the "trusted" gateway server. If the Internet
> server is on a black list (Proxy, Dynablock, SBL-Spamhaus, Relay) then at
> SMTP dialog with the *gateway* server I reject the message and the
> gateway server has to deal with the message (like it should have done in
> the first place).
Right, this is your problem, and this is why I was calling you
clue-resistant. If you reject to the gateway server, it will have no option
but to bounce it, making you one of those annoying corporates who send out
non-delivery/virus "reports" to innocent third-parties. Once you have a
server in your organisation which has accepted the message, you have little
option but to accept it and blackhole it in the situation you're talking
about.
My feeling on this is that you shouldn't achieve this goal using exim, but
rather run it through spamassassin/mailscanner any one of these, whose
rules can be tweaked to be sensible, and look for precisely the thing you
are talking about. At the very worst, it's a relatively simple bit of perl
to take the Received: header you believe, extract the sending IP address
from it, and use Net::DNS or similar to apply the checks yourselves. Knowing
that you have a corporate gateway and are not your own MX and rejecting at
SMTP time is just a plainly stupid idea, because you *WILL* affect the
innocent third parties that Alan was talking about.
Since you obviously just reacted badly to what I said, and didn't realise
that I had, just possibly, actually thought about what I was saying and
why, and that actually, in this case (though perhaps not in others), I
was actually correct in what I was saying, then perhaps you can start being
a bit more reasonable. The point is if *YOUR SERVER* behind the gateway
rejects at SMTP time, then you are *KNOWINGLY* forcing the gateway to send
bounces to recipients whose addresses may have been forged. The outward
behaviour is exactly what Alan, myself and others have been complaining
about, and what you do internally is of little interest, except in the
context of this list.
> Key question now is how to have DNSBL functionality when I am not having
> direct SMTP dialog with sending server. I was thinking we would need to
> have something done in local scan section to get to previous server but
> wonderering if anyone had done something like this already.
Just think for a second about why this is a very stupid idea, perhaps
reread what I wrote above.
I think you've just reinforced my judgement of clue-resistant, well
done.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
