After a successful trial of Exim as a secondary MX, I'm ready to roll it out
as an antispam/antivirus frontend to my CommuniGate Pro server. The general
mail flow I have in mind is below; please glance over it and contribute
suggestions/comments/mockery as needed. I have a fair amount of CPU/RAM to
throw at this but very limited tolerance for FPs and almost no tolerance for
time delays of more than a few minutes.
- acl_smtp_connect = acl_connect
acl_smtp_helo = acl_helo
acl_smtp_mail = acl_mail_from
acl_smtp_rcpt = acl_rcpt_to
acl_smtp_data = acl_data
- [ ] acl_connect
- [ ] accept from trusted hosts
- [ ] my corporate overlords
- [ ] some clients?
- [ ] Check blacklists/whitelists and save blacklist results
in variables for later rejection
- [ ] whitelist file -- if listed, skip blacklists
- [ ] whitelist by RDNS -- if listed, skip blacklists
- [ ] create DNSWL? -- might be easier than keeping files
synchronized across multiple MXes
- [ ] blacklist file
- [ ] DNSBLs
- [ ] blacklist by RDNS
- [ ] acl_helo
- [ ] accept from trusted hosts
- [ ] Check HELO for IP address and if IP address flag in variables
- [ ] Check HELO for our name/address and if ours flag in variables
- [ ] Verify HELO or log verification failure
- [ ] Flag fake yahoo/aol/hotmail/gmail helo for rejection?
- [ ] acl_mail_from
- [ ] accept from trusted hosts
- [ ] If no helo flag in variables
- [ ] acl_rcpt_to
- [ ] accept from trusted hosts
- [ ] accept if local part is postmaster and/or blacklist admin
and/or abuse (this is why I wait until now to start rejecting
messages)
- [ ] deny if blacklisted/IP HELO/forged HELO/no HELO/callout failed
- [ ] deny if recipient not in +relay_to_domains
- [ ] deny if recipient callout fails
- [ ] deny if sender callout fails (I know the arguments against
sender callout, but on balance it seems to me that it's worth
doing; I try to minimize the effect on innocent mail servers by
leaving it to this late in the game
- [ ] if verizon/.mac delay 20s then accept
- [ ] elif in redlist delay 55s then accept (Redlist is my DNSBL of
hosts we will rarely see legitimate email from; it's a mix of
geographical locations and spam-tolerant ISPs.)
- [ ] else delay 30s then accept
- [ ] acl_data
- [ ] accept if local part is postmaster and/or blacklist admin
and/or abuse
- [ ] scan with ClamAV
- [ ] accept from trusted hosts
- [ ] scan with SpamAssassin
- [ ] reject on 10+
- [ ] add header for sorting on 5+
- [ ] accept
Thanks for any help you can provide!
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"The greatest dangers to liberty lurk in insidious encroachment
by men of zeal, well-meaning but without understanding."
-- Justice Louis Brandeis