著者: W B Hacker 日付: To: exim users 題目: Re: [exim] Mail relay testing
build wrote:
*trimmed*
>>>> RCPT TO:<me@???@[210.x.xxx.x]>
> <<< 501-<me@???@[210.x.xxx.x]>: malformed address:
> @[210.x.xxx.x]> may not follow <me@???
>
> Where should I put the config line?
> Thanks again in anticipation,
> build
>
It is probably in the right place - anywhere that precedes the first of the acl_
clauses.
But if you wish to traffic in IP vs DNS-locatable <domain>.<tld>
you may also need to add:
allow_domain_literals = true
CAVEAT: Though required by RFC, this is quite commonly NOT enabled, due to
historical abuse.
In our case, we use acl's to further limit receipt of such literals sent TO our
IP's to messages addressed ONLY to postmaster@, hostmaster@, and abuse@
.. which are also limited to singeton arrivals only - no 'piggyback' broadcasts.
..and have had nary a problem with it the past many years.
JFWIW, I'd not be too concerned with making the test 'easier'.
That your server is kicking the test suite out where, why, and how it is now
doing is a fairly decent idicator that it would do the same with a 'real'
attempt to do unauthorized relaying.
QED.
Limiting errors and (our choice) NOT offering pipelining, are helpful measures
in themselves, as are limiting the simultaneous connections per remote host.
CAVEAT - that last would want an exception for a bespoke / in-house relay
network. But you can do that, too, w/o opening it up to 'the world'.
For ANY new installation though, it pays to have plenty of log file space,
'log_selector = +all', and 'tail -f ' (at least) the exim mainlog frequently so
as to spot anomalies.
IF/as/when you have surprises that are in need of debugging, you can add
log_message and logwrite to your acl clauses with coded ID's so you can tell
which ones are actively involved and more easily scrutinize / edit the right ones.
Much easier to start verbose and back-down the logging, commnet OFF the extra
log writing later than to wander about in the dark.
And don't forget the *extensive* debug capability Exim has w/o need to even have
a cable plugged in. There's no other MTA even close to the ease of use or
comprehensiveness of that suite.
