Autor: Tim Jackson Datum: To: exim-users Betreff: Re: [exim] mailq on MX secondary filling up with '550 unknown user'
Alain Williams wrote:
> My MX secondary receives it's share of username-generation spam attacks, when it tries
> to forward this cr*p onto my primary, the primary bounces them (see above).
> The problem is that my MX secondary holds onto these and retries, this fills up
> the mailq, etc.
Don't forget that apart from the problems you're seeing, "etc." includes
spamming third parties whose address was forged by spammers :(
> How can I get the MX secondary to bounce (or preferably discard) such mail ?
1. Do you *really* need a secondary MX? Sure? Really sure? They are
often not needed these days, and they do cause additional complications
as you point out. Basically the general rule is that if you have one,
you want it to be configured the same as the primary, so it gives the
same SMTP responses etc.
2. Enable recipient verification callouts on the secondary. e.g. " deny
!verify = recipient/callout=use_sender,defer_ok ". This will forward
recipient checks onto the primary, which is OK as long as the primary is
up and/or the callout details are in Exim's cache (it hangs onto them
for a while, see manual for details of callout cache). If your primary
is down for long periods you might want to tweak the expiry times of
data in the callout cache.
Or, better, you said it:
> I have considered putting a list of users on my MX secondary and doing a check at RCPT
> time, but would rather avoid that: extra work maintaining the list, ...
If you set it up to run itself automatically (e.g. scp a copy of the
list across from the primary every hour) it shouldn't be much/any
hassle. This is the best solution by far and what I do in situations
like this.