Re: [exim] Verifying rcpt exists before greylisting

Top Page
Delete this message
Reply to this message
Author: Peet Grobler
Date:  
To: exim-users
Subject: Re: [exim] Verifying rcpt exists before greylisting
Magnus Holmgren wrote:
> We need more details to be able to figure out what you've tried to do. For
> starters, what does your virtual domain router look like and what does your
> acl_smtp_rcpt ACL look like? What parts of the specification have you read,
> what did you understand and what did you not understand?


Virtual domain router:
virtual_aliases:
         driver = redirect
         debug_print = "R: virtual_aliases for $local_part@$domain"
         allow_defer
         allow_fail
         domains = dsearch;/etc/mail/virtual
         data = 
${expand:${lookup{$local_part}lsearch*@{/etc/mail/virtual/$domain}}}
         qualify_preserve_domain
         retry_use_local_part
         pipe_transport = address_pipe
         file_transport = address_file
         no_more


And (you'll notice my !verify = recipient being commented out - that's
where I'd expect it to be.

acl_check_rcpt:

# Deny addresses with funny characters and shell escapes.
deny    message = Invalid recipient username
         local_parts = ^.*[@%!/|] : ^\\.


# Accept if the source is local SMTP (not over TCP/IP). We do this by
testing
# for an empty sending host field
accept hosts = :

# Accept authenticated mails
warn    message = X-SA-Do-Not-Run: Yes
         authenticated = *


accept authenticated = *

# Accept postmaster@ and abuse@ mails
warn    message = X-SA-Do-Not-Run: Yes
         local_parts = postmaster


accept  domains = +local_domains
         local_parts = postmaster


# Deny if sender is listed as a spammer.
deny    message = $sender_host_address is blacklisted at \
                 $dnslist_domain ($dnslist_value: $dnslist_text)
         log_message = REJECT: $sender_address_domain is blacklisted at \
                 $dnslist_domain : $dnslist_text
         #dnslists = zen.spamhause.org : nomail.rhsbl.sorbs.net :  \
         dnslists = nomail.rhsbl.sorbs.net :  \
                 blackholes.mail-abuse.org : dialups.mail-abuse.org : \
                 list.dsbl.org : dnsbl.njabl.org : cbl.abuseat.org


# Deny right now, before greylisting/spam scanning, if we cannot verify
# the recipient. This is so that dictionary attacks against our domain 
doesn't
# kill the greylisting or anti-spam system.
#require        message = No such user on this domain.
#       !verify = recipient


   # greylisting (as per David Peall's config)
   warn  set acl_m2      = ${lookup mysql{GREYLIST_TEST}{$value}{0}}


   defer message         = Greylisted - please try again a little later.
         condition       = ${if eq{$acl_m2}{0}{1}}
         condition       = ${lookup mysql{GREYLIST_ADD}{yes}{no}}


   defer message         = Greylisted - please try again shortly.
         condition       = ${if eq{$acl_m2}{1}{1}}


   warn  message         = X-Greylist: Passed
         condition       = ${lookup mysql{GREYLIST_UPDATE}{yes}{no}}


   # Accept specific mail without scanning it for spam.
   warn  message         = X-SA-Do-Not-Reject: Yes
         local_parts     = postmaster:abuse


   # changed size from 250k to 100k - Bretton (14/08/2006)
   warn  message         = X-SA-Do-Not-Reject: Yes
         condition       = ${if >{$message_size}{100k}{1}{0}}


... and so on ... (still working on it really)

> !verify = recipient doesn't say anything on its own. It makes sense in a deny
> statement, but that statement won't be obeyed if an earlier statement has
> already determined the fate of the message. It should never, by itself, cause
> *all* mail to be rejected, unless the routers have no_verify set or
> something.


root@honey:/etc/exim4/conf.d grep "no_verify" * -R
router/600_exim4-config_userforward:# The no_verify setting means that
this router is skipped when Exim is
router/600_exim4-config_userforward: no_verify
router/700_exim4-config_procmail: no_verify
router/800_exim4-config_maildrop: no_verify
router/015_exim4-config_smarthost: no_verify
router/650_exim4-config_uservacation: no_verify

Which is cool, as the router for virtualdomains isn't mentioned here.
For testing I'm sending a mail to a non-existent user on our box, and it
gets to the point of :blackhole: in the virtual aliases file -
indicating that my config doesn't work.

Another quick question - what is the proper way to reload the exim4
configuration changes I've made? Currently I go through the following
process (which just doesn't seem proper):

$ update-exim4.conf
$ /etc/init.d/exim4 reload
$ /etc/init.d/exim4 stop
$ killall exim4
$ /etc/init.d/exim4 start

This seems to be the only way my config changes gets picked up (this is
on debian)

Thanks.
--
Peet Grobler <peet@???>
www.grobler.za.net

Skype: peet_grobler
XMPP: peetgrobler@???