John Schmerold wrote:
> I've been running exim_surbl (from
> http://www.teuton.org/~ejm/exim_surbl ) for approximately 12 hours.
> Memory utilization is way down, message delivery time is way up, life
> seems good.
>
> So far it works really well, point of this message is 1) to let
> everyone know about this and 2) find out if there are issues that I
> should be aware of relative to use of this tool. Installation was
> simple, I did following:
> cd /usr/src ; wget http://www.teuton.org/~ejm/exim_surbl/exim_surbl-2.0.tar.gz
> tar zxf exim_surbl-2.0.tar.gz
> cp -p exim_surbl-2.0/exim_surbl.pl /etc/exim
> cp -p exim_surbl-2.0/surbl_whitelist.txt /etc/exim
> cp -p exim_surbl-2.0/ccTLD.txt /etc/exim
>
> Then edited /etc/exim/exim_surbl.pl to reflect the fact that our exim
> configuration files are in /etc/exim
>
> Then put following in exim.conf main section:
> perl_startup = do '/etc/exim/exim_surbl.pl'
>
> Then put following in exim.conf acl_smtp_mime section:
> deny condition = ${if <{$message_size}{100000}{yes}{no}}
> set acl_m0 = ${perl{surblspamcheck}}
> condition = ${if eq{$acl_m0}{false}{no}{yes}}
> message = $acl_m0
>
> Finally put following in acl_smtp_data section and restarted exim:
> deny condition = ${if <{$message_size}{100000}{yes}{no}}
> condition = ${if eq{$acl_m0}{}{yes}{no}}
> set acl_m1 = ${perl{surblspamcheck}}
> condition = ${if eq{$acl_m1}{false}{no}{yes}}
> message = $acl_m1
>
> Within seconds - every second actually, tail -f /var/log/exim/main.log
> happily reported:
> 2007-12-04 11:40:45 1IzblE-000860-Q9
> H=host158-101-dynamic.27-79-r.retail.telecomitalia.it [79.27.101.158]
> F=<Archuna492@???> rejected during MIME
> ACL checks: Blacklisted URL in message. (oran____.com) in [jp] [ob]
> [ws] [sc]. See http://www.surbl.org/lists.html.
>
> John
>
Why wait until acl_smtp_data and invoke a perl script to do what Exim can do
with much less workload in the acl_smtp_connect phase?
# CONNECT_7: Check Local NAME Blacklist for host_name. IF bad THEN deny
#
deny
message = \n Sender $sender_host_name blacklisted for abuse
log_message = C7 $sender_host_name Locally blacklisted.
condition =
${lookup $sender_host_name}wildlsearch{/var/mail/REGEXP-block}{yes}{no}}
(beware MUA wrap - the condition is on one line)
/var/mail/REGEXP-block includes, among several hundred chronic-offenders who are
zombot-friendly:
*retail.telecomitalia.it
Result:
2007-12-04 18:21:56 H=host105-160-dynamic.22-79-r.retail.telecomitalia.it
[79.22.160.105]:4678 I=[203.194.153.81]:25 temporarily rejected connection in
"connect" ACL: C7 host105-160-dynamic.22-79-r.retail.telecomitalia.it Locally
blacklisted.
Should that fall-through, C8 will catch it:
# CONNECT_8: Check Dynamic/Portable Remote Blacklist. IF RBL hit THEN deny
#
deny
message = \n $sender_host_address improper use of dynamic IP for mail server
dnslists = dul.dnsbl.sorbs.net
log_message = C8 $sender_host_address blacklisted in $dnslist_domain
An SQL call (redacted) accumulates stats on those that repeatedly hit from
dynamic IP, and is used for periodic updating of the local blacklist file.
This reduces off-box callouts to sorbs.
In production for quite a while now....
HTH,
Bill Hacker
