Re: [exim] Setup for authenticated submission

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Andrew - Supernews
Ημερομηνία:  
Προς: Bill Hacker, exim-users
Υ/ο: 
Αντικείμενο: Re: [exim] Setup for authenticated submission
>>>>> "Bill" == Bill Hacker <wbh@???> writes:

Bill> The first is wasteful of a scarce resource, (IP's) the second
Bill> is not optimal if the far-end is looking at the sender's
Bill> {domain} against the helo (as we ourselves do).


Trying to match the sender domain against the helo is an exercise in
futility, and more importantly, it's spreading a very dangerous meme
amongst the authors of some defective mail software (of which IPSwitch
Imail is the most egregious, but there are many other examples).

It is a _NORMAL_ case for the HELO domain to be different to the domain
of the envelope sender. (The examples are endless; forwarded mail, mail
from @msn addresses coming from hotmail.com servers, mail from any of
several million domains outsourced to large outsourcers like Outblaze or
the old Critical Path hosted service; the list goes on.)

It is also not a good criterion for whitelisting; spam sent from zombie
machines frequently uses a HELO matching the envelope sender.

However, and this is the important point, looking for multiple different
HELO values from a single ip is a _MASSIVELY_ effective way of detecting
spam sources. If you configure your server to use a variable HELO then
you _will_, sooner or later, find that people end up blocking you as a
result. If you've never used this method of detecting spam (and it takes
a fairly large mail flow into several domains to really do it right) you
would not believe how amazingly effective it can be.

Bill> That we *can* control with 'helo_data' - to at least match the
Bill> helo to our sender's {domain}. 'Challenge TWO'.


You should not even try. You should have _ONE_ PTR record for an IP
doing outgoing mail, and the HELO should be (a) fixed, and (b) should
match that PTR record.

Bill> All that 'motion', basically so that we can satisfy the likes
Bill> of AOL and our own rather picky Exim servers


AOL doesn't require that the HELO match the envelope sender and never
will. I'd be willing to bet that they look for variable HELO values
from a given IP, though.

If you configure your MTA to behave in ways characteristic of spam
zombies simply in order to satisfy your _own_ broken filtering rules,
then you should expect problems getting your mail delivered.

--
Andrew, Supernews
http://www.supernews.com