Re: [exim] omit sender verification to certain IPs - possibl…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: W B Hacker
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] omit sender verification to certain IPs - possible?
Ted Cooper [Exim-users] wrote:
> On Wed, 22 Apr 2009 09:01:38 +0200, Heiko Schlittermann
> <hs@???> wrote:
>> Mike Cardwell <exim-users@???> (Mi 22 Apr 2009 00:18:54
>> CEST):
>>> Heiko Schlittermann wrote:
>>>> It depends on your ACL configuration. Always you can emply the
>>>> $sender_host_address variable. Or you can use the 'hosts = ..' ACL
>>>> item.
>>> Your suggestion doesn't work. The IP of the connecting host is
>>> irrelevant. It's the IP that a sender callout would connect back to that
>
>>> is relevant.
>> True. You're right. (You told me what I'm telling other people, normally
>> ...) Sorry for the noice. I should think twice before sending :-/
>
> On that note, perhaps whitelisting based on domain is more sensible that
> whitelisting based on IP addresses or a DNS lookup of the MX records.
> Surely if one MX of a domain is taking assertive action against callouts,
> then all of the other MX will too.


One (may) need both .. and more...

Ex:

/var/mail/filters/IP-white

precludes rejection in acl_smtp_connect of a (very) few
misconfigured-but-otherwise-legit sources with bad or missing PTR RR

/var/mail/filters/VIP-pass
adds a 'pass' for any of IP, $domain, and even mached sender and
recipient 'sets'

(lookup is, of necesity for that mix, a 'dumb' string match)

/var/mail/filters/REGEXP-block

blocks on HELO and/oir $domain

IOW - each of these few files may be accessed in different ways at
different points, and ordinarily are looked at several times.

CAVEAT: this is not the most exim-efficient path - but it custs down the
number of places the admin has to do editing or review.

>
> In regards to doing callouts - I don't use them except on suspect
> yahoo|hotmail|aol|lycos|msn|gmail emails, such as those that don't come
> from their own mail servers.


I use 'forgery' detection logic on just over a dozen of the most-seen
(or most commonly forged...) ISP's.

For the past 2 or 3 years the hits on those have declined to the point I
may simply remove them. Early rejection on rDNS fail seems to have wiped
most off the radar.

> For all other cases, either RDNS, HELO,
> greylist, not-quit, or spamhaus has already taken care of them and those
> that make it past that get killed off by header checks or SA. The wishy
> washy answer of a callout - account does not exist on this server vs
> account may exist on this server - just isn't that useful.
>


Possibility of irritating far-end operators quite aside, I'd go further
and say it is a total waste of my resources as well as theirs by the
time the other points you list have been looked at.

OTOH - I've reached the same conclusion w/r greylisting after extensive
running of a couple different versions, so 'YMMV'..

> callouts are also a listing criteria for ips.backscatterer.org which is a
> bit of pain since I use that to get rid of the damn Russian servers that
> insist on accepting emails pretending to be me even though I have SPF
> records and then bounce the result back to me when they can't be delivered.
>


I have yet to see even ONE of those.

OTOH, at last count, we have 68 Russian ISP's blocked outright, plus
more than a few entire IP blocks in ipfw.

;-)

Bill