Autor: Alex Carver Data: Para: exim-users CC: exim-users Asunto: Re: [exim] Verifying that Spamhaus is working within Exim
--- On Sun, 7/12/09, Phil Pennock <exim-users@???> wrote:
> From: Phil Pennock <exim-users@???>
> Subject: Re: [exim] Verifying that Spamhaus is working within Exim
> To: "Alex Carver" <agcme2002@???>
> Cc: exim-users@???
> Date: Sunday, July 12, 2009, 8:45 PM
> On 2009-07-12 at 14:31 -0700, Alex
> Carver wrote:
> > New question: Now that I reconfigured and
> reinserted support for Spamhaus, I haven't seen Exim block
> an email even though I've seen plenty of emails coming in
> from domains listed in zen.spamhaus.org
> >
> > Under acl_check_rcpt I have:
> >
> > deny
> > message = X-Warning:
> $sender_host_address is listed at $dnslist_domain
> ($dnslist_value: $dnslis
> > t_text)
> > log_message =
> $sender_host_address is listed at $dnslist_domain
> ($dnslist_value: $dnslist_text)
> > dnslists = zen.spamhaus.org
>
> Where do you have this within acl_check_rcpt? Note
> that the ACL is
> worked through in order, so unless you have this stanza
> before the bit
> which goes:
> require message = relay not permitted
> domains = +local_domains
> : +relay_to_domains
> then Exim won't get as far as checking that.
The RBL segment happens to be below the part you quote so that explains that bit. I just hadn't seen a spamhaus block in so long I wondered if I had misconfigured it.
>
> Why do you have "X-Warning: " at the start of
> message? It's an SMTP
> refusal message, not a header, when you're in deny.
It used to be a warn statement and I just forgot to remove X-Warning.
>
> You probably also want to add some exceptions to that, such
> as a local
> whitelist, for the times when someone you care about ends
> up on an RBL.
> Also "!authenticated = *"; eg, my home IP is a residential
> cable-modem
> IP and if I send mail via my colo server, I'll be using
> authenticated
> SMTP -- if you need to support remote workers, you'll want
> to make sure
> that they're not blocked based on source IP. (Hey, my
> current home IP
> is on zen, [127.0.0.10]).
This happens to be my personal server but I have a static IP at home so I can send direct (ISP does not block) so I send directly out from here. I don't anticipate ever having an external user beyond perhaps running as a backup MX for someone but that just means they get added to the relay domain list instead.
>
> $ exim -d+acl -bh $bad_ip -bs
> and type in raw SMTP. This is debugging with extra
> debugging for ACLs
> turned on.
>
This works very well, thanks. At least I now know that it's actually responding.
> Myself, to help remote administrators debug mail delivery,
> I have this
> in my connect ACL (amongst other things):
> accept !dnslists = [ some local whitelist
> stuff ]
> dnslists =
> zen.spamhaus.org
> message =
> ${smtp_active_hostname} ESMTP - NO UCE NO UBE ${tod_log}
> (UTC)\n\
>
> WARNING: You are on RBL $dnslist_domain:
> $dnslist_text\n\
>
> Your mail will not be accepted
> unauthenticated.
>
> The side-effect of multi-line SMTP responses causing
> problems for flaky
> clients is a side-benefit.
>
> -Phil
>