Tony Finch wrote:
> On Mon, 4 Apr 2005, Ian Eiloart wrote:
> >
> > Can you add their domain to my skip list, too, please? ;^)
>
> They aren't sufficiently broken to go in dsn.rfc-ognorant.org, since they
> don't block null senders for all their addresses.
For the moment I've turned off sender callouts, but retained sender
verification until I have a chance to work on it. There are several
problem that I've encountered:
1. The RFC ignorant. This includes 5xx on MAIL FROM:<>, sometimes
they respand the same at RCPT time.
2. People that drop the connection on failed RCPT.
3. People that greylist <> at RCPT time, not just before DATA or
at DATA time. This is more of a niggle though.
I plan to do something like this:
warn set acl_m0 = no
condition = USE_SENDER_VERIFY_CALLBACK
set acl_m0 = yes
sender_domains= lsearch;/etc/exim/whitelist.sender_domain
hosts = +our_nets
dnslists = dsn.rfc-ignorant.org/$sender_address_domain
set acl_m0 = no
warn condition = ${if eq{$acl_m0}{yes} {yes}{no}}
set acl_m0 = no
!verify = sender/callout=50s,defer_ok
set acl_m0 = maybe_rfc_ignorant
warn condition = ${if eq{$acl_m0}{maybe_rfc_ignorant} {yes}{no}}
message = RFC ignorant host?
set acl_m0 = yes
verify = sender/callout=50s,defer_ok,use_sender
set acl_m0 = no
deny message = Sender verification callout faied.
condition = $acl_m0
I use acl_m0 as a temporary variable for adjacent ACL blocks.
USE_SENDER_VERIFY_CALLBACK is a configuration knob that is set to
yes or no to turn this feature on ar off. This should exclude hosts
and domains in the whitelist and that are known to be RFC ignorant.
If the <> callout fails, try the sender. If the sender works, then
the host is RFC ignorant and log it.
I should point out that this ACL fragment is untested and I'm not
sure what the side effects of these timeouts will be.
Ian
--
Ian Freislich
