Autor: W B Hacker Data: A: exim users Assumpte: Re: [exim] unblocking gmail
Randy Bush wrote: >> The general rule (not just with Exim) is to work on the minority case -
>> IOW the forgery, the 'lie', the just-plain-wrongness.
>
> dunno what your severs see, but in my universe, the forgery is by far
> the majority. so i want to immediately accept the real and then fall
> into the dnsbls.
>
> randy
>
They are only '...far the majority...' because you have decided not to
reject obvious zombies earlier - at acl_smtp_connect.
A caller that *survives* forward/reverse DNS lookup, who HAS a PTR RR,
who is NOT in a dynamic-IP RBL, who THEN ALSO fails a HELO to FQDN test
is less common than a zombie (which ordinarily fails all of these).
Such a HELO mismatch is usually due to DNS and/or MTA misconfigured due
to ignorance or HIRD - not really a 'forgery' per se.
Ex: NetWork Solutions et al who can't be bothered to insure that their
contract MTA-vendors consistently keep DNS records up to date. IOW, most
days, they appear to 'forge' themselves connect from a .net IP but ID
as a .com, not assign PTR RR to their outbound 'pool' that remotely
match their HELO, etc.
If you want 'immediate' onpassing, you'll need something like lookups
against /var/mail/IP-pass or /var/mail/VIP lists, AND setting a flag in
acl_smtp_connect, AND testing that flag again in each acl_smtp phase
thereafter (that you feel safe skipping, anyway).