On Wed, 15 Dec 2004, Mark Hynes wrote:
>
> It's very useful, but not always cheap and can be open to obvious
> misinterpretation - it's cheap until someone attempts a dictionary attack
> or similar against you from, say, aol.com addresses, you hit AOL with an
> equivalent attack of callouts which looks like the same sort of wrong-doing
> and your calling-out address (or more) gets blocked.
You can avoid this by ordering your ACL sensibly. Sender callback
verification is almost the last thing in our RCPT ACL.
acl_rcpt_mx:
# This service is only available on port 25.
require
message = No SMTP service for unauthorized users
condition = PORT25
# Make it easy to get help
accept
domains = +our_domains
local_parts = +postmasterish
# We accept email only for domains that we know about.
# This check is cheap so we do it early to save time.
require
message = Relaying is not permitted
domains = +our_domains
# Do some anti-spam checking for non-friendly machines.
deny
! hosts = +relay_hosts
! acl = aux_check_spam
# For friendly machines, just check the sender domain.
deny
hosts = +relay_hosts
! verify = sender
# All recipient addresses must be valid, more or less.
require
message = ${acl_verify_message}\n\
See http://www.cam.ac.uk/cs/email/bounce.html
verify = recipient/callout=use_sender,defer_ok
# Do more thorough sender address checks. We do this after verifying the
# recipient address to reduce the number of sender callouts.
require
acl = aux_verify_sender
# Don't accept email if we are too busy. We keep this check at the end
# of the ACLs and ensure we do it only once because it can be expensive.
defer
message = Sorry, too busy. Try again later.
condition = ${if or{{ eq{$acl_c2}{busy} } \
{ <{300}{${run {/opt/exim/sbin/exim_incount} }} }} }
set acl_c2 = busy
# Every check has been passed.
accept
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
