Re: [exim] accept mail from local domains without checking r…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Andrew Johnson
Dátum:  
Címzett: 'Steven Settlemyre', exim-users
Tárgy: Re: [exim] accept mail from local domains without checking rbl
I notice that the rbl check is being done in your rcpt acl, this is a silly
place to do it as lets say mr internet sends an email to 10 people on your
org, it will attempt to rbl check 10 times. Although the result should be
cached, it would make more sense to rbl check in the mail acl. Also, if you
move the accept lines above the rbl check, you will never do an rbl check
for a sender that is sending to your org which I suspect is not what you
want.

Your mail acl should accept if user was postmaster/abuse, was authenticated
or was within your network (whichever you decide) otherwise do the rbl
check.

-Andy-

-----Original Message-----
From: Steven Settlemyre [mailto:settlemy@asel.udel.edu]
Sent: 10 January 2007 13:41
To: exim-users@???
Subject: [exim] accept mail from local domains without checking rbl

I have inherited a sysadmin position and dont know a ton about exim. I had a
crash-course by the previous guy, but still need some help. It seems email
sent within our network is being checked for blacklist. How can I prevent
this from happening?

Seems to me i could just move the 2 accept domains rules above the rbl rule.
Is this correct?

Thanks
Steve

my ACL:


acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :

# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.

# Also deny if the local part starts with a dot. Empty components aren't
# strictly legal in RFC 2822, but Exim allows them because this is common.
# However, actually starting with a dot may cause trouble if the local
part
# is used as a file name (e.g. for a mailing list).

  deny    local_parts   = ^.*[@%!/|] : ^\\.


# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

#  accept  local_parts   = postmaster
#          domains       = +local_domains


# Deny unless the sender address can be verified.

  require verify        = sender



  # Add a header to message that are from our users, so
  # we can skip expensive spam filtering on them.
  warn     authenticated = *
        message     = X-Skip-Scan: Autenicated User


  warn     hosts = +relay_from_hosts
        message     = X-Skip-Scan: Local User


######################################################################
# Hello checks
######################################################################

  # If the remote host greets with an IP address, then reject the mail.
  #
  deny
    message     = Message was delivered by ratware a
    log_message = remote host used IP address in HELO/EHLO greeting
    !hosts = +relay_from_hosts
    !authenticated = *
    condition   = ${if isip {$sender_helo_name}{true}{false}}



  # Likewise if the peer greets with one of our own names
  #
  deny
    message     = Message was delivered by ratware b
    log_message = remote host used our name in HELO/EHLO greeting.
    !hosts = +relay_from_hosts
    !authenticated = *
    condition   = ${if match_domain{$sender_helo_name}\
                       {$primary_hostname:+local_domains:+relay_to_domains}\
                       {true}{false}}



  deny
    message     = Message was delivered by ratware c
    log_message = remote host did not present HELO/EHLO greeting.
    !hosts = +relay_from_hosts
    !authenticated = *
    condition   = ${if def:sender_helo_name {false}{true}}



############################################################################
#
# There are no checks on DNS "black" lists because the domains that
contain
# these lists are changing all the time. However, here are two examples of
# how you could get Exim to perform a DNS black list lookup at this point.
# The first one denies, while the second just warns.
#

  # Accept mail to postmaster and abuse
  accept domains = +local_domains
        local_parts = postmaster:abuse


  deny    message       = rejected because $sender_host_address is in a 
black list at $dnslist_domain\n$dnslist_text
          dnslists      = dnsbl.njabl.org : bl.spamcop.net : 
sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org
#: relays.ordb.org
          !hosts = +relay_from_hosts
          !authenticated = *
  #
  # warn    message       = X-Warning: $sender_host_address is in a 
black list at $dnslist_domain
  #         log_message   = found in $dnslist_domain
  #         dnslists      = black.list.example


############################################################################
#

# Accept if the address is in a local domain, but only if the recipient
can # be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient



# Accept if the address is in a domain for which we are relaying, but
again,
# only if the recipient can be verified.

  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient


# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.

  accept  hosts         = +relay_from_hosts


# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

  deny    message       = relay not permitted