Re: [exim] Sender callouts

Página Inicial
Delete this message
Reply to this message
Autor: Ian FREISLICH
Data:  
Para: exim-users
CC: Mark Smith, Ian Eiloart
Assunto: Re: [exim] Sender callouts
Tony Finch wrote:
> On Mon, 4 Apr 2005, Ian Eiloart wrote:
> >
> > Can you add their domain to my skip list, too, please? ;^)
>
> They aren't sufficiently broken to go in dsn.rfc-ognorant.org, since they
> don't block null senders for all their addresses.


For the moment I've turned off sender callouts, but retained sender
verification until I have a chance to work on it. There are several
problem that I've encountered:
1. The RFC ignorant. This includes 5xx on MAIL FROM:<>, sometimes
they respand the same at RCPT time.
2. People that drop the connection on failed RCPT.
3. People that greylist <> at RCPT time, not just before DATA or
at DATA time. This is more of a niggle though.

I plan to do something like this:

  warn     set acl_m0    = no
           condition    = USE_SENDER_VERIFY_CALLBACK
           set acl_m0    = yes
           sender_domains= lsearch;/etc/exim/whitelist.sender_domain
           hosts    = +our_nets
           dnslists    = dsn.rfc-ignorant.org/$sender_address_domain
           set acl_m0    = no
  warn     condition    = ${if eq{$acl_m0}{yes} {yes}{no}}
           set acl_m0    = no
          !verify    = sender/callout=50s,defer_ok
           set acl_m0    = maybe_rfc_ignorant
  warn     condition    = ${if eq{$acl_m0}{maybe_rfc_ignorant} {yes}{no}}
           message    = RFC ignorant host?
           set acl_m0    = yes
           verify    = sender/callout=50s,defer_ok,use_sender
           set acl_m0    = no
  deny     message    = Sender verification callout faied.
           condition    = $acl_m0


I use acl_m0 as a temporary variable for adjacent ACL blocks.
USE_SENDER_VERIFY_CALLBACK is a configuration knob that is set to
yes or no to turn this feature on ar off. This should exclude hosts
and domains in the whitelist and that are known to be RFC ignorant.
If the <> callout fails, try the sender. If the sender works, then
the host is RFC ignorant and log it.

I should point out that this ACL fragment is untested and I'm not
sure what the side effects of these timeouts will be.

Ian

--
Ian Freislich