Re: Re[2]: [exim] Whitelisting for rDNS-check

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: user therion
Ημερομηνία:  
Προς: Exim Users
Αντικείμενο: Re: Re[2]: [exim] Whitelisting for rDNS-check
Ok,
I hope I understand it correct. here the relevant
parts(I hope) of my config:

#MAIN
hostlist relay_from_hosts = 127.0.0.1 : 192.168.4.0/24
: 192.168.10.0/24
hostlist friends_with_broken_mx =
/etc/exim/friends_with_broken_mx
...
helo_try_verify_hosts = *
...
#ACL
acl_check_rcpt:
accept hosts = :
#Deny Hosts without rDNS/only mark message,deny later
via exim.filter-file!

warn message = Broken Reverse DNS -  no host name
found for IP address $sender_host_address
     !verify = reverse_host_lookup
     condition =
     hosts = !+relay_from_hosts :
!lsearch;/etc/exim/friends_with_broken_mx
#---------------------
accept  hosts         = +relay_from_hosts


accept  domains       = +local_domains
          endpass
          verify        = recipient
....
##########################################################


Is it correct or do you have any suggestions?

another syntax question, whats the difference between
these 2 configs, are they identical???

1)
hostlist friends_with_broken_mx =
/etc/exim/friends_with_broken_mx
#in ACL
hosts = !lsearch;/etc/exim/friends_with_broken_mx

2)
hostlist friends_with_broken_mx =
lsearch;/etc/exim/friends_with_broken_mx
#in ACL
!hosts = /etc/exim/friends_with_broken_mx


thx for your help




















-----------------------------------------------------------------------
On 15 Dec 2005, at 09:28, Êîâàëåíêî Èâàí wrote:

> Yeah, thats it.
>


I wouldn't say so:

> But for your goals it can be more suitable to use it

in hostlist.
> ut> hello,
> ut> you mean this?!
>
>
> ut> ###############################
> ut> acl_check_rcpt
> ut> # Deny Hosts without reverse DNS
> ut> warn message = Broken Reverse DNS - no host

name
> ut> found for IP address $sender_host_address
> ut>      hosts = !+relay_from_hosts
> ut>      !verify = reverse_host_lookup



this does not do what it says, that is, it does not
deny.

> ut>      accept condition =
> ut> ${lookup{$sender_address}lsearch{/etc/exim/

friends_with_broken_mx}{1}{}}
> ut> ################################
>


and if this one ends here, it might make your server a
partially open relay. Unless your
friends_with_broken_mx are also hosts you want to
relay from, it is missing two things:

domains = +local_domains
verify = recipient

but this is better accomplished by adding it as a
negative condition to the corresponding deny rule.
Leave the accept alone and instead have

deny    message = Broken Reverse DNS -  no host name
    condition =
        hosts =
!lsearch;/etc/exim/friends_with_broken_mx
    [the broken rDNS check]


(not checked!)

Also, if a "friend" has got a badly configured mx, I
would want to check that it cannot also be a source
of virus, relay or not relay.

Oh, your MUA seems to be setting the wrong encoding
for your name, it is
?ISO-8859-1?B?yu7i4Ovl7eruIMji4O0=?=, but I presume it
should be ISO-8859-5.

Giuliano


    
        
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de