On Thu, 2004-04-29 at 17:12 +0100, Andy Saunders wrote:
> On Thu, 29 Apr 2004 at 12:14 +0100, Alan J. Flavell wrote:
> > It sort-of gives the site an opportunity to fix the problem, doesn't
> > it?
>
> That was the reasoning behind choosing 'defer'. Malware will probably
> not retry, and legitimate senders have a chance to fix their server in
> order to get their mail through.
>
> The acl has been live for around 8 weeks and rejects over one million
> recipients per week. During this time, only two senders (that I know
> of) have had trouble, and in both cases the sender has fixed his/her
> server. Two trouble tickets against 8 million worms/spams seems a fair
> trade to me.
the question is which is more useful for the user: an immediate error
message, or a message some hours later about the e-mail being delayed
for some obscure reason? I actually tend to think the former.
your one million number is probably slightly inflated since it counts
every attempt at delivery. we do outright rejection, and reject half a
million per week due to either missing or syntactically incorrect
HELO/EHLO (roughly 10% of our volume).
we've had quite a few cases of Exchange admins having to fix their
server's hostname, probably a couple every week. I think everyone who's
been in touch with us have chosen to comply with standards so that they
can communicate with us and others.
we tried to reject e-mail where $sender_helo_name didn't resolve (unless
given as a bracketed IP address). this was a disaster, and we reverted
the change after an hour or two. lots and lots of servers are using
internal names which are invalid on the Internet at large. I recommend
you don't repeat our mistake -- it is, of course, not allowed to do such
rejection according to the RFC.
this is what our ACL looks like (in rcpt, after postmaster is accepted):
deny hosts = ! +relay_from_hosts : *
message = \
Improper HELO/EHLO: "$sender_helo_name"\n\
The HELO/EHLO argument must either be the fully qualified\n\
name of the sending host, or its IP address (in square brackets).\n\
See http://www.usit.uio.no/it/epost/system/ for more information.
condition = ${if or {\
# Sending host claims to be this host's name.
{eq {$sender_helo_name}{smtp.uio.no}}\
# Sending host claims to have this host's IP address.
{eq {$sender_helo_name}{129.240.10.9}}\
{eq {$sender_helo_name}{[129.240.10.9]}}\
# Helo argument isn't fully qualified.
{!match {$sender_helo_name}{\\.}}\
}{yes}{no}}
I intend to change the hardcoded check for smtp.uio.no and IP into a
check for all our host names, domain names and IP addresses. note that
we accept IP addresses without brackets, I should change that, too.
another misfeature of this ACL is that the same error text is given when
no HELO/EHLO was presented ($sender_helo_name == ""), which can be quite
confusing for the remote postmaster, or even first level support here.
--
Kjetil T. (one of the postmasters at University of Oslo, Norway)
