Re: [exim] When to use dns block lists

Top Pagina
Delete this message
Reply to this message
Auteur: W B Hacker
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] When to use dns block lists
Sub Zero wrote:
>>>>That policy is rather likely to land you on a blacklist yourself.
>>>
>>>How will using gmail/yahoo land you on a blacklist?
>>
>>The thinking of blocking even the postmaster address thinking "they can
>
> use gmail/yahoo", akin to "let them eat cake", that's of issue.
>
>>If your system does not accept mail to the postmaster address, you culd be
>
> listed on some RBLs... like this one: http://www.rfc-ignorant.org/
>
> The RFC clearly states that your should name the postmaster address
> world-acceptable *OR* give an alternative email address insead. I think it
> is okay to let your blocked users contact you on your gmail addy instead..
> :P
> My mail server at my pc tells you to mail to
> blacklist-{DailyRandomCode}@{domain.dom}...
>
> I would simply look at the dns record, domain record and website instead...
> :)
>
>


You may 'think it is OK..' but RFC's aside, mail to 'postmaster'
is more often generated by a 'daemon', not a human, so the
chance of it looking-up a gmail (or any other) address, ranges
from 'zero' to 'none at all'.

It is not at all hard to configure Exim to accept legitimate
mail to postmaster, as well as 'abuse', 'webmaster' and a select
few similarly useful/commonly-helpful addresses if you wish, and
to do so in such a manner as to NOT be flooded with garbage.

True even if running an essentially all-virtual environment for
multiple domains. We have'postmaster' in an SQL DB as well as in
/etc/aliases, purely to support custom lookups and delivery, but
that is optional.

That you then use /etc/aliases and/or some form of DB to route
such traffic off-box to another account - gmail if you wish -
and/or 'sequester' it for review if/as/when you choose to go
through it, is a better way to avoid hassle than 'let them use
<whatever>' when <whatever> isn't machine-readable.

Our 'postmaster' account can even be reached as:

'postmaster@203.194.153.81' - and such, for each IP.

- Though no other account can be.

All per RFC and Exim spec's....

You might also keep in mind that *any* lookup to an external
source, be it a local flat-file or a remote DNS/other blacklist,
has a time and server-resource 'cost' that can often be avoided
by better use of Exim's 'built-in' tests.

Put the 'cleverness' on the inside, not on the outside, and the
bones won't show.

YMMV

Bill Hacker