Re: [exim] Detect missing reverse dns

Góra strony
Delete this message
Reply to this message
Autor: Todd Lyons
Data:  
Dla: Ian P. Christian
CC: Exim Mailing List, MarkdV
Temat: Re: [exim] Detect missing reverse dns
On Mon, Jul 27, 2009 at 4:41 AM, Ian P. Christian<pookey@???> wrote:
> 2009/7/26 MarkdV <markdv.exim@???>:
>> You seem to advocate this every chance you get. :)
>
> Hm, sorry :)
> My reasoning is below... I'll try not the shout so much about it on
> list outside of this thread though!
>
>> I'm thinking of trying something like this in acl_smtp_mail:
>>
>>  defer
>>  ! sender        = :
>>  ! dnslists      = list.dnswl.org
>>  ! verify        = reverse_host_lookup
>>  ! verify        = helo
>>    ratelimit     = X_DNS_HELO_LIMIT / per_mail / leaky /
>> $sender_host_address
>>    message       = Ratelimited. Fix your (r)DNS and/or HELO for faster
>> deliveries.
>
> I do similar elsewhere deeper down in my checks.
>
>> Guess what we _really_ need is for hotmail and gmail and some such to
>> start requiring proper dns - and helo's IMHO. But as long as it means
>> rejecting significant amounts of ham that's not gonna happen. None of
>> them will want to be known for rejecting more ham than the other... If
>> they would team-up though... Then the whole 'missing ham' problem would
>> also fix itself because everyone would run to fix their dns (and helos)
>> to be able to deliver to hotmail and gmail.
>
> Well, your argument is pretty much in line with mine.  As mentioned
> previously in this topic, AOL already block lack of rDNS.  We too have
> a lot of DSL customers (not as many as you ;) ), and I am putting a
> little load on our support department with 'wheres my mail' kind of
> questions - but we're dealing with them just fine.  I think what we
> need is people to have the balls to make this call, and stick to it.
> Don't allow people though if they haven't setup their mail servers
> correctly.  If the medium/large mail providers start forcing sensible
> policies, people running badly configured servers will be forced to
> change.
>
> I see some people on list clearly don't agree with me, the majority of
> which is people saying it will block legitimate mail though... so, if
> you do disagree, how about using Mark's suggestion of his ACL above?
>
> --
> Blog: http://pookey.co.uk/blog
> Follow me on twitter: http://twitter.com/ipchristian
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


Since implementing a greylist only for IP's with no rDNS last week, I
see the following stats (on one mailserver only):

CentOS52[root@ivwm52 ~]# grep "greylist for"
/var/log/exim/main.log{,.1} | wc -l
5517
CentOS52[root@ivwm52 ~]# grep "PASS GREYLIST"
/var/log/exim/main.log{,.1} | wc -l
972

So about 17% of deferred email actually gets retried and delivered.
My statistics may be skewed compared to yours because on this system,
a sizable percentage of our customers are Taiwan or Hong Kong based,
and many servers in that area of the world just seem to have no rDNS.

I will send another email with my implementation details and code.
It's still a work in progress, but it works very well for me.
Dropping 80% of some class of emails is a statistic that is good no
matter how you look at it.
-- 
Regards...      Todd