Re: [exim] Using GeoIP to block spammers - anyone?

Odhiambo G. Washington wrote:

*trim*

> ..... I only want to keep out _anyone_ else who does
> not have any auth credentials on this box.
>

Wash,

If I understand you correctly, that this box is not supposed to
handle 'incoming' traffic from other mx'en, but only handle
'outbound' traffic from your user community, then that part is
simple and you won't need GeoIP or any RBL's of any kind.

- Set up the box as restricted type of 'smarthost' - basically
an MSA only, instead of a full MTA.

- 'listen' only on the submission ports

- require SSL/TLS auth, disallow plain auth. If a user has valid
UID:PWD, you needn't care what IP he is on - home or travel.

You may need to publish new MUA settings to your user community,
give them time to adjust, and cue support staff to assist.

But once migrated, you should not have much further worry about
bogus relay connection attempts or spam, as these generally
target port 25.

That port can have very draconian rules at connect time if it is
open at all, (as it may need to be at least for bounces and such).

These too can have simple rules when other mx of your own are
expected to handle 'oridary' traffic.

IMAP/POP should be OK as-is, providing you use reasonably secure
auth.

But - becasue this is NOT a listed mx, I would also suggest you
realy its outbound via the listed mx.

Otherwise, you will just be trading one set of problems for
another. Our servers, for example could refuse to converse with
you in the absence of proper DNS, no hostname found for IP, etc.

FWIW, I would scrap the whole idea, re-configure the 'visible'
mx to cover the need, and do an IP takeover.

You either have effective acl's or you don't. A 'stealth'
server can bring more problems than it solves.

YMMV,

Bill