Re: [exim] Help in interpetting a log line

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMAlain Williams at <-
.MJeremy Harris at ->
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: Exim Users
Subject: Re: [exim] Help in interpetting a log line
On Wed, 22 Oct 2008, Alain Williams wrote:

> It is not clear to me which machine is saying: ''Empty sender address is
> not allowed'' - I think mr51-iz.mailpoalim.co.il
>
> I think that what is happening is that exim is connecting to mr51-iz.mailpoalim.co.il to see if it will accept mail to miki.nachmani@???
> and as part of it sends:
>     MAIL FROM:<> which mr51-iz.mailpoalim.co.il objects to. Which 
> suggests that that machine will not accept bounces.

Yes.

You shouldn't be doing sender verification in this way against third party
hosts connecting to you. It can be used as a denial of service attack
(your fast server gets sent shedloads of forged mail purporting to be from
victim1@???, victim2@???, etc, your server connects to MX
of example.com and tests all these sender addresses: if that MX is not
robust or on a slow connection or already loaded, you are the party
causing a DoS attack on it). callout verification (known under various
names) is generally considered to be abusive. It would have been quite
effective against viruses and spam when they made up addresses, but
typically they now fraudulently use (what they think are) real addresses
so it doesn't help so much now anyway.

By all means verify the domain is valid and likely deliverable, but don't
use callouts to third party domains: restrict them to your own
administrative scope.

I have this jolly old stanza in acl_smtp_rcpt: 

  ## verify sender
  ## Decline to receive mail unless we can verify the sender address.
  ## This will run the routers in 'sender verification' mode.  In practice,
  ## if these are remote domains, then we will decline mail from domains in
  ## addresses that do not have MX records - ie, we wouldn't be able to send
  ## mail back to them
   deny  message   = Could not verify sender address or domain;\n\
                     Maybe the DNS MX records are wrong or missing?\n\
                     REFUSENOTICE
       log_message = MSGTAG_FAILEDSENDERVERIFY: Unverifiable sender address \
                     or domain (DNS problem?) for <${lc:$sender_address}>
           !verify = sender


(most local domains are handled separately with a callforward).

> 1) tell the sysadmins that look after mr51-iz.mailpoalim.co.il to fix
> their machines

Tell them that anyway :)

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Help in interpetting a log lineRe: [exim] ratelimit is counting wrong->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)