Re: [exim] Sender callouts

Top Page
Delete this message
Reply to this message
Author: Ian FREISLICH
Date:  
CC: exim-users, Mark Smith, Ian Eiloart
New-Topics: Re: [exim] Sender callouts [PATCH]
Subject: Re: [exim] Sender callouts
Ian FREISLICH wrote:
> > On Mon, 4 Apr 2005, Ian Eiloart wrote:
> > >
> > > Can you add their domain to my skip list, too, please? ;^)
> >
> > They aren't sufficiently broken to go in dsn.rfc-ognorant.org, since they
> > don't block null senders for all their addresses.
>
> For the moment I've turned off sender callouts, but retained sender
> verification until I have a chance to work on it.  There are several
> problem that I've encountered:
> 1. The RFC ignorant.  This includes 5xx on MAIL FROM:<>, sometimes
>    they respand the same at RCPT time.
> 2. People that drop the connection on failed RCPT.
> 3. People that greylist <> at RCPT time, not just before DATA or
>    at DATA time. This is more of a niggle though.

>
> I plan to do something like this:
>
>   warn     set acl_m0    = no
>            condition    = USE_SENDER_VERIFY_CALLBACK
>            set acl_m0    = yes
>            sender_domains= lsearch;/etc/exim/whitelist.sender_domain
>            hosts    = +our_nets
>            dnslists    = dsn.rfc-ignorant.org/$sender_address_domain
>            set acl_m0    = no
>   warn     condition    = ${if eq{$acl_m0}{yes} {yes}{no}}
>            set acl_m0    = no
>           !verify    = sender/callout=50s,defer_ok
>            set acl_m0    = maybe_rfc_ignorant
>   warn     condition    = ${if eq{$acl_m0}{maybe_rfc_ignorant} {yes}{no}}
>            message    = RFC ignorant host?
>            set acl_m0    = yes
>            verify    = sender/callout=50s,defer_ok,use_sender
>            set acl_m0    = no
>   deny     message    = Sender verification callout faied.
>            condition    = $acl_m0

>
> I use acl_m0 as a temporary variable for adjacent ACL blocks.
> USE_SENDER_VERIFY_CALLBACK is a configuration knob that is set to
> yes or no to turn this feature on ar off. This should exclude hosts
> and domains in the whitelist and that are known to be RFC ignorant.
> If the <> callout fails, try the sender. If the sender works, then
> the host is RFC ignorant and log it.
>
> I should point out that this ACL fragment is untested and I'm not
> sure what the side effects of these timeouts will be.


Well, it seems after checking that this is impossible to do. You
cannot set the MAIL FROM for verify=sender/callout which is a bummer.
Can this be added to the wishlist? It will be very helpful in finding, logging and excluding RFC ignorant sites as above.

Ian

--
Ian Freislich