Re: [Exim] envelope-sender blacklisting - thoughts?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Edgar Lovecraft
Datum:  
To: Exim users list
Betreff: Re: [Exim] envelope-sender blacklisting - thoughts?
Andrew - Supernews wrote:
>

..[snip]...
>
> Edgar> Just a note here, I found that ensuring there is a . <dot> at
> Edgar> the end of the string to be looked up gets rid of most
> Edgar> 'errors' that cause defer's, at least on RedHat 8 systems. I
> Edgar> cannot say that it is a fix-all for everything with dnsdb
> Edgar> lookups but it helps tremendously, you may give it a try.
>
> None of the deferral errors I've seen were in any way related to that.
> Reading the source, dnsdb lookups should be done with both RES_DEFNAMES
> and RES_DNSRCH turned off, so adding a final . should only make a
> difference if the resolver is broken.
>


Well, what kind of deferral errors are you getting? I just checked the
last 6 days worth of log files and can find no errors from any dnsdb
lookup.

As to a broken resolver, I know of no problems with the bind version in
RH 8, not saying there is not a problem, just I do not know of any.

As to RES_xxx
RES_DEFNAMES = If set, res_search() will append the default domain name to
single component names, ie. those that do not contain a dot.
RES_DNSRCH = If set, res_search() will search for host names in the current
domain and in parent domains. This option is used by gethostbyname(3).

Neither of the above have anything to do with appending a trailing . <dot>
i.e. host.example.com. rather than host.example.com

Here is an example of a lookup of a helo string using dnsdb trying to find
an A record, this gave an error before I appended a . <dot> to the end of
the string.

"BIG NOTE: this is just an example to show the DEFER error, not an example
    of any kind of useful acl statement!"


Add the examples to a test configuration and run exim -bh <ip> and give
this as the helo string "pop.superserver88.com", just put the examples at
the top of the helo_acl

EXAMPLE_1 <DEFER error>*:
drop condition = \
${if eq{${lookup dnsdb{a=$sender_helo_name}{$value}{}}}{yes}{1}{0}}

EXAMPLE_2 <NO DEFER error>:
drop condition = \
${if eq{${lookup dnsdb{a=$sender_helo_name\.}{$value}{}}}{yes}{1}{0}}

Please test this out and see what you get. I have not looked to debug
exactly why this makes a big difference, but it does, so I will not
speculate on the why, I found this to work and I was happy :)

*temporarily rejected EHLO or HELO pop.superserver88.com: failed to expand
ACL string "${if eq{${lookup dnsdb{a=$sender_helo_name}{$value}{}}}{yes}{1}
{0}}": lookup of "a=pop.superserver88.com" gave DEFER:

--

--EAL--