Author: David Woodhouse Date: To: bremner-dated-1193733823.f65ab1 CC: exim-users Subject: Re: [exim] A kinder, gentler dns_again_means_nonexistent?
On Thu, 2007-10-25 at 13:36 +0200, bremner@??? wrote: > I have an exim4 (4.68) server that gets most of its mail forwarded
> from another server ("edge MTA"). I notice there is a certain number
> of (probably spam) senders who always defer, I think because their DNS
> servers return SERVFAIL to MX lookups. I would like to reduce the
> number of needless defers back to the edge MTA.
>
> Can anyone think of an easy way to to start rejecting a sender after
> it defers X times in Y hours? I guess eventually the edge MTA will
> give up, but I can afford to be a lot more agressive than they can in
> terms of what I reject.
As a general rule, you should strive _not_ to reject more than any
server which will receive mail for you and relay it (such as,
traditionally, a backup MX). That leads to bounce messages being sent to
innocent bystanders whose address was _faked_ as the sender of the mail
you reject.
Instead, you should filter at the 'edge MTA' -- and it's fairly simple
there -- if you can't look up the MX record of the domain of the alleged
sender, defer the mail and don't accept it into your system at all.
If you can't control the 'edge MTA' even to that extent, then the best
course of action would be to stop relying on it.