[exim] Badness-Scoring (was Re: verify = helo, PTR record l…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Thomas Jacob
Data:  
Para: exim-users
Temas antigos: Re: [exim] verify = helo, PTR record lookup
Asunto: [exim] Badness-Scoring (was Re: verify = helo, PTR record lookup)
Very nice, thanks :-) Exim truly is the Emacs of MTAs.

Seems to me though after looking at the latest dnsdb-docs, there
is a dnsdb(ptr=?) lookup now, to make things more simple.

Another thing, I notice from your config/code sample that you seem to be
calculating some sort of "badness" score, could you perhaps explain this
a litte,
if you feel so inclined and have the time.

Do you use this score as basis for rejecting emails during the SMTP
session?
What kind of tests do you include in that scoring, apart from the ones
in
your example? What are your experiences with this setup
in regard to bewildered sys admins of your communications partners that
do not want to accept that you block their mail because they've
misconfigured
their systems?

On Tue, 2007-06-12 at 23:21 +0200, Giuliano Gavazzi wrote:
> On 12 Jun 2007, at 17:15, Thomas Jacob wrote:
> > I use it to exempt MTAs with a valid helo string from some other
> > processing, and for that a check helo str=simple reverse lookup
> > would be nice thing to have.
> >
> > Is there perhaps a way to achieve this using other Exim features?
>
>
> with Exim you can do all sorts of funky DNS lookups.
> For an example of absolutely hermetical use of dns lookups see (I am
> not good at comments...):
>
> # DNS TESTS
> # acl_c16 (uses also acl_c15)
> # find the peer ($sender_host_address) in-addr.arpa zone NS records
> # and add 3 points (for now) if this fails like for many  
> misconfigured servers
> warn    !authenticated = *
>          set acl_c15 = ${lookup dnsdb{cname=${if match  
> {$sender_host_address}\
>                          {\N^(\d+)\.(\d+)\.(\d+)\.(\d+)$\N}\
>                          {$4.$3.$2.$1.in-addr.arpa}fail}}{$value}{none}}
>          condition = ${if !eq{$acl_c15}{none}}
>          set acl_c15 = ${if match {$acl_c15}{\N^(\d+)\.(.+)$\N}{$2}fail}
>          set acl_c15 = ${lookup dnsdb{ns=$acl_c15}{$value}{none}}

>
>
>
> warn    !authenticated = *
>          condition = ${if eq{$acl_c15}{none}}
>          set acl_c15 = ${lookup dnsdb{defer_lax,zns=${if match  
> {$sender_host_address}\
>                          {\N^(\d+)\.(\d+)\.(\d+)\.(\d+)$\N}\
>                          {$3.$2.$1.in-addr.arpa}fail}}{$value}{none}}

>
>
> #add points for misconfigured servers (they should give NODOMAIN!)
> warn    !authenticated = *
>                  set acl_c15 = ${tr {$acl_c15}{\r\n}{\ }}
>                  condition = ${if eq{$acl_c15}{none}}
>                  set acl_c16 = 3

>
> # from now on acl_c15 contains a list of the NS records of the in-
> addr.arpa zone of the peer
>
> # add point for bad servers
> warn    !authenticated = *
>          condition = ${if match {$acl_c15}{\.cn\ }{yes}{no}}
>          set acl_c16 = 3

>
> # be nasty to bad domains in NS record
> warn    !authenticated = *
>          condition = ${if match {$acl_c15}{\N(?i)(xo\.com| 
> terraempresas\.com\.br)$\N}{yes}{no}}
>          set acl_c16 = 5

>
> warn    !authenticated = *
>          condition = ${if match {$acl_c15}{\N(?i)(ecircle\.de|cn\.ad 
> \.jp|rackspace\.com|mail\.ru|mtu\.ru)$\N}{yes}{no}}
>          set acl_c16 = 7