RE: [exim] Rejecting on Connect

Top Page
Delete this message
Reply to this message
Author: Eli
Date:  
To: 'Marc Perkel', exim-users
CC: 
Subject: RE: [exim] Rejecting on Connect
Marc wrote:
> Looking for more safe ways to reject on connect. Here's what
> I'm doing now:

...
> recipient ...................
>
> drop    message = Legitimate bounces are never sent to more 
> than one recipient.
>     senders = : postmaster@*
>     condition = ${if >{$recipients_count}{1}{true}{false}}


This is no good - I send email to postmaster@* and abuse@* and others when
reporting spam to people. I never trust that sending to just the listed
address from ARIN (et al) and usually tack on other "common" email addresses
to report these problems to ensure I get some attention.

Blocking on multiple recipients when sending to postmaster@* is going to
prevent that. You should reject if ONLY the sender is <> - The sender
should always be <> if sending a bounceback.

> # Deny if too many failed recipients
>
> drop message = REJECTED - Too many failed recipients - count 
> = $rcpt_fail_count
>         log_message = REJECTED - Too many failed recipients - 
> count = $rcpt_fail_count
>         condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
>         condition = ${run{/etc/exim/scripts/log-file 
> /var/spool/spam/host-spam.txt $sender_host_address}{yes}{yes}}
>         !verify = recipient/callout=2m,defer_ok,use_sender


As another has stated - this could cause issues with mailing lists if many
of your users all subscribe and the list has some dead addresses.

You could use this however, if you added a check for a "Precedence: list"
header, and I think there's also a few other values for the Precedence:
header you can check for (forget what they are). However, by now limiting
yourself to checking a header, you obviously can't reject at RCPT time.



Also, another optimization you could make - with all the ACLs that you have
set checking dnslists and then basing rejects off no reverse dns, etc...,
you should instead make one general ACL deny statement which lists your
dnslists (they seem to be all the same), then use "acl =" to call off to
individual ACL sections that contain only the differing messages and other
conditions. You'd save some space in your config file, and greatly reduce
redundant data which means if you wanted to change your dnslists, you need
only change it in one place.

Eli.