Hi folks,
I think I need some help with my ACLs. The system is Exim 4.42 running on
Linux FC1. Recently I upgraded the ACLs to be stronger, and I have encountered
some badly behaved hosts (I think) which I have to work around for the moment.
The reject logs include:
2005-01-18 22:51:21 H=(gatekeeper36.totaljobsmail.co.uk) [193.128.115.36]
F=<cwjobs@???> rejected RCPT <ruth@???>: host lookup
failed (193.128.115.36 does not match any IP address for gatekeeper36.totaljobsmail.co.uk)
My RCPT ACL includes a possibility for noverify hosts - i.e. those hosts I
want and would otherwise fail by text lookup in a file noverify-hosts, and I
thought this would do it.
The rcpt ACL looks like this: [ If in passing folks have comments on the ACL
in general I am happy to listen :-) ]
---------------------------------------------------------
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = : +relay_from_hosts
# Deny if the sender is <> and there are more than 1 recipients
deny senders = :
message = Invalid use of null sender
condition = ${if > {$rcpt_count} {1} {1} }
# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.
deny message = Invalid local part in address
local_parts = ^.*[@%!/|]
delay = 30s
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
accept authenticated = *
accept hosts = /etc/exim/noverify_hosts
# If reverse DNS lookup of the sender's host fails (i.e. there is
# no rDNS entry, or a forward lookup of the resulting name does not
# match the original IP address), then reject the message.
#
#deny message = reverse DNS lookup failed for host $sender_host_address.
# !verify = reverse_host_lookup
# Deny unless the sender address can be verified.
deny message = <$sender_address> does not appear to be a valid sender.
!verify = sender/callout=20s,defer_ok
# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
accept domains = +local_domains
endpass
message = unknown user
verify = recipient/callout=20s,defer_ok
# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = unable to route address
verify = recipient/callout=20s,defer_ok
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
deny message = mail not permitted
hosts = /etc/exim/exim-spam-hosts
delay = 20s
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
deny message = Relay not permitted
delay = 20s
-----------------------------------------------------------------
and the file noverify-hosts includes the lines:
#Totaljobs
*.totaljobs.co.uk
*.totaljobsmail.co.uk
-----------------------------------------------------------------
Hoping you can help...
Thanks
--
Ruth Ivimey-Cook
Software engineer and technical writer.
