Re: [Exim] temporarily rejected RCPT

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Alan J. Flavell
Date:  
À: Exim users list
Nouveaux-sujets: [Exim] TNEF problems
Sujet: Re: [Exim] temporarily rejected RCPT
On Wed, 18 Feb 2004, Tim Jackson wrote:

> Hi Alexander, on Wed, 18 Feb 2004 15:54:00 +0200 you wrote:
>
> > 2004-02-17 18:33:56 H=(mywankers.com) [66.9.135.151]
> > F=<aburrell_ji@???> temporarily rejected RCPT <dm
> > ac@???>: Could not complete sender verify
> > I'm regulary getting the SPAM of this kind.
> > How can Exim be configured to generate 550 (permanent) instead of 451
> > (temporarily)?
>
> You really don't want to do that (and I'm not sure it's even possible).
> Exim will already permanently reject it if there is a permanent DNS error.


However, what is technically "temporary" could persist for months or
years.

> The situation above means there is a temporary DNS error. If you started
> permanently rejecting on the basis of temporary DNS errors, then there was
> a temporary DNS problem on your own system, or that of someone sending
> legitimate mail, you would end up permanently rejecting good mail.


Fair comment. What I've done is when I see such a long series of
temporary rejections, I apply certain plausibility checks, and decide
whether to declare the domain to be unreachable. I'll come back to
that in a moment.

By the way, this pattern of faked localpart, plausible.name_xy , has
persisted for a considerable time - that pattern is evidently churned
out by some kind of spamware, although I still don't know what it is.
On actual mails, that pattern of sender local part could well be
spam-ratable, if you're doing spam rating, although at our mailer,
such mails almost always get rejected at an earlier stage (blacklisted
IP, blacklisted HELO, etc.) or rejected on spam-rating without any
extra help.

On bounces, of course, the fake address is being presented by an
innocent (albeit misguided ;-) party, and there isn't a lot you can do
about it other than report it as invalid.

Anyhow, coming back to this "unreachable domains" idea. As I say, if
a long series of retries is noticed, with the responsible MTA failing
to respond for a prolonged period with what is technically a temporary
error, then we might put the offending domain into our "unreachable
domains" list, and the configuration uses that at two points: to check
the envelope-sender, and to check the "From:" header.

In the RCPT ACL:

          deny    sender_domains = partial-dbm;CONFIG_DIR/unreach_domains.db
             message = We are currently unable to accept mail from \
                  $sender_address_domain\n\
             because that mail domain is persistently unreachable or not\n\
             responding properly, for reasons that are outside our control.\n\
             [...etc...]


and in the DATA ACL:

  deny hosts = ! +relay_hosts
       message = We are currently unable to accept mail from \
             $h_from: \n\
             because that mail domain is persistently unreachable or not\n\
             responding properly, for reasons that are outside our control.\n\
             [...etc...]
       condition =  ${lookup {${domain:$h_from:}} \
         partial-dbm{CONFIG_DIR/unreach_domains.db}{1}{0}}



(Yeah, I don't quite know why I'm so inconsistent about which order
the clauses appear.)

hope this helps