On Saturday 27 December 2003 05:40 pm, Tabor J. Wells wrote:
> You should probably put your DNSBL lookups in the ACL that runs at
> RCPT TO time. The sample config that ships with exim has the lookups
> there. This also allows you to exempt certain addresses like your
> postmaster address so that sites in those DNSBLs can contact you.
Now that I've just spent some time studying the ACL that runs at RCPT
time, I'm beginning to understand, but I have some questions...
Here's my ACL that runs at RCPT time:
<snip>
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
accept domains = +local_domains
accept domains = +relay_domains
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted
</snip>
I realize that there are sometimes multiple answers to questions, and
that there's no replacement for experience, but I don't have experience
(yet), so I'm looking for ideas and perhaps "best practices".
Here are my questions...
(1) local_domains is defined as "lsearch;/etc/virtual/domains".
/etc/vitual/domains is a list of domain names hosted on the server.
Where does exim get the domain name it compares with the contents of
/etc/virtual/domains? Hopefully this isn't from something as spoofable
as the ehlo line.
(2) relay_domains is defined as "lsearch;/etc/virtual/domains : \
localhost". My concern is that in ACLs, whenever relay_domains is used
it's sused on a separate line after local_domains (see example ACL
above), so I'd think it should be it's own file for maximum
flexibility. I'm also not sure that localhost should follow a colon.
Shouldn't it perhaps be in the file?
(3) relay_hosts is defined as /etc/virtual/pophosts; that's fine (not a
question <smile>).
(4) auth_relay_hosts is defined as "*". What does it mean?
And now the final question...
(5) How do I just put the entire thing together with this RBL ACL stuff;
I don't want to make any mistakes as this is a working server):
<snip>
deny message = $sender_host_address is listed at $dnslist_domain - see
http:/
dnslists = relays.ordb.org : \
sbl.spamhaus.org : \
bl.spamcop.net : \
dnsbl.njabl.org : \
cbl.abuseat.org : \
http.dnsbl.sorbs.net : \
socks.dnsbl.sorbs.net : \
misc.dnsbl.sorbs.net : \
smtp.dnsbl.sorbs.net : \
web.dnsbl.sorbs.net : \
spam.dnsbl.sorbs.net : \
block.dnsbl.sorbs.net : \
zombie.dnsbl.sorbs.net : \
dul.dnsbl.sorbs.net : \
rhsbl.sorbs.net
accept
</snip>
Thanks.
Jeff
--
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA 92517 US
Professional Internet Services & Support / Consulting / Colocation
Our blists address used on lists is for list email only
Phone +1 909 324-9706, or see: "
http://www.nobaloney.net/contactus.html"