Re: [exim] Verifying that Spamhaus is working within Exim

--- On Sun, 7/12/09, Phil Pennock <exim-users@???> wrote:

> From: Phil Pennock <exim-users@???>
> Subject: Re: [exim] Verifying that Spamhaus is working within Exim
> To: "Alex Carver" <agcme2002@???>
> Cc: exim-users@???
> Date: Sunday, July 12, 2009, 8:45 PM
> On 2009-07-12 at 14:31 -0700, Alex
> Carver wrote:
> > New question:  Now that I reconfigured and
> reinserted support for Spamhaus, I haven't seen Exim block
> an email even though I've seen plenty of emails coming in
> from domains listed in zen.spamhaus.org
> >
> > Under acl_check_rcpt I have:
> >
> >   deny
> >     message = X-Warning:
> $sender_host_address is listed at $dnslist_domain
> ($dnslist_value: $dnslis
> > t_text)
> >     log_message =
> $sender_host_address is listed at $dnslist_domain
> ($dnslist_value: $dnslist_text)
> >     dnslists = zen.spamhaus.org
>
> Where do you have this within acl_check_rcpt?  Note
> that the ACL is
> worked through in order, so unless you have this stanza
> before the bit
> which goes:
>   require message = relay not permitted
>           domains = +local_domains
> : +relay_to_domains
> then Exim won't get as far as checking that.

The RBL segment happens to be below the part you quote so that explains that bit. I just hadn't seen a spamhaus block in so long I wondered if I had misconfigured it.

>
> Why do you have "X-Warning: " at the start of
> message?  It's an SMTP
> refusal message, not a header, when you're in deny.

It used to be a warn statement and I just forgot to remove X-Warning.

>
> You probably also want to add some exceptions to that, such
> as a local
> whitelist, for the times when someone you care about ends
> up on an RBL.
> Also "!authenticated = *"; eg, my home IP is a residential
> cable-modem
> IP and if I send mail via my colo server, I'll be using
> authenticated
> SMTP -- if you need to support remote workers, you'll want
> to make sure
> that they're not blocked based on source IP.  (Hey, my
> current home IP
> is on zen, [127.0.0.10]).

This happens to be my personal server but I have a static IP at home so I can send direct (ISP does not block) so I send directly out from here. I don't anticipate ever having an external user beyond perhaps running as a backup MX for someone but that just means they get added to the relay domain list instead.



>
> $ exim -d+acl -bh $bad_ip -bs
> and type in raw SMTP.  This is debugging with extra
> debugging for ACLs
> turned on.
>

This works very well, thanks. At least I now know that it's actually responding.

> Myself, to help remote administrators debug mail delivery,
> I have this
> in my connect ACL (amongst other things):
>   accept  !dnslists = [ some local whitelist
> stuff ]
>           dnslists =
> zen.spamhaus.org
>           message =
> ${smtp_active_hostname} ESMTP - NO UCE NO UBE ${tod_log}
> (UTC)\n\
>                
>     WARNING: You are on RBL $dnslist_domain:
> $dnslist_text\n\
>                
>     Your mail will not be accepted
> unauthenticated.
>
> The side-effect of multi-line SMTP responses causing
> problems for flaky
> clients is a side-benefit.
>
> -Phil
>