Author: W B Hacker Date: To: exim-users Subject: Re: [exim] omit sender verification to certain IPs - possible?
Ted Cooper [Exim-users] wrote: > On Wed, 22 Apr 2009 09:01:38 +0200, Heiko Schlittermann
> <hs@???> wrote:
>> Mike Cardwell <exim-users@???> (Mi 22 Apr 2009 00:18:54
>> CEST):
>>> Heiko Schlittermann wrote:
>>>> It depends on your ACL configuration. Always you can emply the
>>>> $sender_host_address variable. Or you can use the 'hosts = ..' ACL
>>>> item.
>>> Your suggestion doesn't work. The IP of the connecting host is
>>> irrelevant. It's the IP that a sender callout would connect back to that
>
>>> is relevant.
>> True. You're right. (You told me what I'm telling other people, normally
>> ...) Sorry for the noice. I should think twice before sending :-/
>
> On that note, perhaps whitelisting based on domain is more sensible that
> whitelisting based on IP addresses or a DNS lookup of the MX records.
> Surely if one MX of a domain is taking assertive action against callouts,
> then all of the other MX will too.
One (may) need both .. and more...
Ex:
/var/mail/filters/IP-white
precludes rejection in acl_smtp_connect of a (very) few
misconfigured-but-otherwise-legit sources with bad or missing PTR RR
/var/mail/filters/VIP-pass
adds a 'pass' for any of IP, $domain, and even mached sender and
recipient 'sets'
(lookup is, of necesity for that mix, a 'dumb' string match)
/var/mail/filters/REGEXP-block
blocks on HELO and/oir $domain
IOW - each of these few files may be accessed in different ways at
different points, and ordinarily are looked at several times.
CAVEAT: this is not the most exim-efficient path - but it custs down the
number of places the admin has to do editing or review.
>
> In regards to doing callouts - I don't use them except on suspect
> yahoo|hotmail|aol|lycos|msn|gmail emails, such as those that don't come
> from their own mail servers.
I use 'forgery' detection logic on just over a dozen of the most-seen
(or most commonly forged...) ISP's.
For the past 2 or 3 years the hits on those have declined to the point I
may simply remove them. Early rejection on rDNS fail seems to have wiped
most off the radar.
> For all other cases, either RDNS, HELO,
> greylist, not-quit, or spamhaus has already taken care of them and those
> that make it past that get killed off by header checks or SA. The wishy
> washy answer of a callout - account does not exist on this server vs
> account may exist on this server - just isn't that useful.
>
Possibility of irritating far-end operators quite aside, I'd go further
and say it is a total waste of my resources as well as theirs by the
time the other points you list have been looked at.
OTOH - I've reached the same conclusion w/r greylisting after extensive
running of a couple different versions, so 'YMMV'..
> callouts are also a listing criteria for ips.backscatterer.org which is a
> bit of pain since I use that to get rid of the damn Russian servers that
> insist on accepting emails pretending to be me even though I have SPF
> records and then bounce the result back to me when they can't be delivered.
>
I have yet to see even ONE of those.
OTOH, at last count, we have 68 Russian ISP's blocked outright, plus
more than a few entire IP blocks in ipfw.
