Re: [exim] Catching sending domains that resolve to RFC1918 …

Góra strony
Delete this message
Reply to this message
Autor: Bryan Rawlins
Data:  
Dla: exim-users
Temat: Re: [exim] Catching sending domains that resolve to RFC1918 IP space
Stephen Gran wrote:
> On Thu, Mar 19, 2009 at 04:01:57PM -0400, Bryan Rawlins said:
>
>> We recently ran into an issue where we were getting mail from a domain
>> that had an A record that resolved to private IP space. Not a big issue
>> in most circumstances, but since we do store-n-forward spam filtering it
>> became a slight problem because our customer's MTA recognized the
>> sending domain being private IP space and 550'd the message, thus
>> leaving us holding the bag as it were.
>>
>> As a result of the above I developed an ACL to catch these and reject
>> them. There probably isn't a great demand for such a beast, but I
>> though I'd share it.
>>
>
> The default (I think) exim4.conf handles it slightly more elegantly:
> dnslookup:
>   driver = dnslookup
>   domains = ! +local_delivery : ! +relay_to_domains
>   transport = remote_smtp
>   same_domain_copy_routing = yes
>   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
>                         172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16
>   no_more

>
> then all you have to do is turn on verify = sender (not even callout) -
> the domain will be unroutable.
>
> Cheers,
>

Wow, yeah that would be the more elegant solution. We run a
configuration on these machines that is pretty far removed from the Exim
default, and there are some other constraints specific to our
implementation that prevent us from using the dnslookup router for that
specific check; but I can see that would be the preferred method for
99%+ of the Exim installs in the wild.

The only thing my solution adds is more granular error messages for the
inevitable eventuality of a customer reporting a 'false-positive'.

Thanks for the feedback,
-Bryan Rawlins
OnlyMyEmail