Re: AW: [exim] support for domainkeys

Página Inicial
Delete this message
Reply to this message
Autor: Tony Finch
Data:  
Para: Steffen Heil
CC: exim-users
Assunto: Re: AW: [exim] support for domainkeys
On Fri, 24 Sep 2004, Steffen Heil wrote:
>
> First, could you post those parts of your configuration file?


See below.

> Exspecially, I am interested in:
> - What is RBL+ ?


The first anti-spam DNS blacklist, started in 1996.

> - How secure is callback verification ?


Pretty good. We have to maintain a whitelist of legitimate but
misconfigured senders who would fail the callout test. We use the
dsn.rfc-ignorant.org blacklist as a whitelist to do most of the work for
us. Our local whitelist currently has fewer than 20 entries; it was over
30 before we started using rfc-ignorant.

> - What is pump-and-dump protection ?


By default Exim checks that sending sites are obeying the SMTP PIPELINING
specification, which protects against crappy spamware and open proxies
which just spew a load of SMTP at the server without waiting for the
responses to the commands.

> Second, what is BATV? Can you post some URL?


BATV is a scheme for identifying legitimate bounces so that back-scatter
from forged spam can be rejected.

http://www.ietf.org/internet-drafts/draft-levine-mass-batv-00.txt

Tony.
--
f.a.n.finch <dot@???> http://dotat.at/
RATTRAY HEAD TO BERWICK ON TWEED: NORTHWEST 4 OR 5, OCCASIONALLY 6 TO GALE 8
AROUND RATTRAY HEAD, DECREASING MAINLY 4 DURING DAY, THEN BACKING SOUTHWEST IN
EVENING. SHOWERS, OCCASIONAL RAIN LATER. GOOD, OCCASIONALLY MODERATE LATER.
MODERATE OR ROUGH, LOCALLY VERY ROUGH IN NORTHEAST DECREASING MODERATE OR
ROUGH.



# We accept email only for domains that we know about.

  require  message       = Relaying is not permitted
           domains       = +our_domains


# Check the HELO domain. We don't use the full strictness of verify=helo;
# if it fails we only check for a few choice stupidities.

  deny     message       = Please use your name when saying HELO (not $sender_helo_name)
          !verify        = helo
           condition     = ${if or{ \
                         { eq{$acl_c1}{bad} } \
                         { isip{$sender_helo_name} } \
                         { eq{$sender_helo_name}{$local_part} } \
                         { match_domain{$sender_helo_name}{+our_domains} } \
                                  } {yes} {no} }
           set acl_c1    = bad


# Do some anti-spam checking.

  deny     message       = ${sender_address_domain} is listed at ${dnslist_domain}; \
                           ${dnslist_text}
           dnslists      = nomail.rhsbl.sorbs.net/$sender_address_domain


  deny     message       = ${sender_host_address} is listed at ${dnslist_domain} ($dnslist_value); \
                           See ${dnslist_text}
           dnslists      = sbl-xbl.spamhaus.org


  deny     message       = ${sender_host_address} is listed at ${dnslist_domain} ($dnslist_value); \
                           See http://mail-abuse.com/cgi-bin/lookup?${sender_host_address}
           dnslists      = rbl-plus.mail-abuse.ja.net


# All addresses must be valid, more or less.

  require  verify        = sender


  require  message       = ${acl_verify_message}\n\
                           See http://www.cam.ac.uk/cs/email/bounce.html
           verify        = recipient/callout=defer_ok,use_sender


# Only do sender callouts if the recipient is valid and if the sender
# is not known to be incompetent according to any of the preliminary
# ACL conditions.

  deny    !senders       = cdb*@;DB/nocallout.cdb
          !dnslists      = dsn.rfc-ignorant.org/$sender_address_domain
          !verify        = sender/callout=3m