[exim] Backscatter & Sender callouts.

Top Page
Delete this message
Reply to this message
Author: Grant Peel
Date:  
To: exim-users
Subject: [exim] Backscatter & Sender callouts.
Hi all,

I am having a problem with a server getting listed on ips.backscatterer.org.

I have been researchng and reviewing the config shown below, but am not 'getting it'.

I want to allow bounces to local addresses only.

Also, I am not so sure I understand the verify / callback process vrs. the config below.

If anyone cares to review it and comment, I would be greatful.

-Grant

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################
primary_hostname = thishost.mydomain.com
domainlist local_domains = /etc/virtual/domains
domainlist filtered_domains = /etc/virtual/filtered_domains
hostlist filtering_hosts = /etc/virtual/filtering_hosts
domainlist relay_to_domains =
hostlist relay_from_hosts = /etc/virtual/domains
hostlist blacklisted_domains = /etc/virtual/blacklist
hostlist spf_bypass = /etc/virtual/spf_bypass
hostlist whitelist = /etc/virtual/whitelist
acl_smtp_rcpt = acl_check_rcpt
trusted_users = mailnull:root:webmail:www
exim_user = mailnull
exim_group = mail
never_users =
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 0s
timeout_frozen_after = 0s
auto_thaw = 6h
return_path_remove
untrusted_set_sender = *
helo_allow_chars = _
daemon_smtp_ports = 25 : 109 : 587
bounce_message_file = /usr/local/etc/exim/bounce_message_file
warn_message_file = /usr/local/etc/exim/warn_message_file
return_size_limit = 10000
bounce_return_message = false
delay_warning = 72h
smtp_accept_max = 100
smtp_accept_max_per_host = 10
smtp_return_error_details = yes
log_selector = +incoming_interface +deliver_time +delivery_size +received_sender \
+received_recipients +sender_on_delivery +subject +address_rewrite +all_parents


# log_selector = +all
#
# My Attempt at greylisting
#

hide mysql_servers = localhost/exim_db/exim/password:

GREYLIST_TEST = SELECT IF(NOW() > block_expires, 2, 1) \
                FROM exim_greylist \
                WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
                AND from_domain = '${quote_mysql:$sender_address_domain}' \
                AND record_expires > NOW()


GREYLIST_ADD  = INSERT INTO exim_greylist \
                SET relay_ip = '${quote_mysql:$sender_host_address}', \
                from_domain = '${quote_mysql:$sender_address_domain}', \
                block_expires = DATE_ADD(NOW(), INTERVAL 1 MINUTE), \
                record_expires = DATE_ADD(NOW(), INTERVAL 14 DAY), \
                origin_type = 'AUTO', \
                create_time = NOW()


GREYLIST_UPDATE = UPDATE exim_greylist \
                SET record_expires = DATE_ADD(now(), INTERVAL 14 DAY) \
                WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
                AND from_domain = '${quote_mysql:$sender_address_domain}' \
                AND record_expires > NOW()


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl

acl_check_rcpt:
        accept  hosts           = :
        deny    local_parts     = ^.*[@%!/|] : ^\\.
        accept  authenticated   = *
                endpass
        accept  hosts           = +relay_from_hosts
                endpass


############################################################################################
# Mail is being rejected on some hosts because the mail MX is only set to a mail filtering system
# and our server is rejecting it because some mail servers see the lesser priorty
# MX and try to oour server directly instead of going though the mail filtering system.
# UPDATE: All secondary MXs removed from DNS zones. Reenabled monday Oct 5 2009.
        accept  domains         = +filtered_domains
                hosts           = +filtering_hosts
                verify          = recipient
        deny    message         = Please use the public MX server for the domain $domain
                domains         = +filtered_domains
                hosts           = !+filtering_hosts
###########################################################################################


        deny    senders         = :
                condition       = ${if > {$recipients_count}{2}{1}}
                message         = Bounces must have only a single recipient
                log_message     = BACKSCATTER - RECIPIENTS $recipients_count
        deny    message         = rejected because $sender_host_address was \
                                found in our blacklist
                hosts           = +blacklisted_domains
                log_message     = BLACKLISTED DOMAIN FOUND IN $blacklisted_domains
        deny
                ! condition    = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}}
                log_message    = NO PTR [rDNS] FOUND FOR $sender_host_address
                message        = We do not accept mail from hosts with missing \
                                or incorrect rDNS.
        deny    senders         = :
                ! hosts         = +whitelist
                dnslists        = ips.backscatterer.org
                message         = This message looks like a bounce, and your server is listed at \
                                ips.backscatterer.org, so I assume that this is "backscatter". \
                                Please configure your mail server to not send "backscatter spam". \
                                For advice, try http://www.dontbouncespam.org/
                log_message     = BACKSCATTER - INCOMING
                warn set acl_m2 = ${lookup mysql{GREYLIST_TEST}{$value}{0}}
        defer   ! hosts         = +whitelist
                ! hosts         = +relay_from_hosts
                ! authenticated = *
                condition       = ${if eq{$acl_m2}{0}{yes}}
                condition       = ${lookup mysql{GREYLIST_ADD}{yes}{no}}
                message         = Now greylisted - please try again in 1 minute.
                log_message     = ADDING TO GREYLIST
        defer   ! hosts         = +whitelist
                ! hosts         = +relay_from_hosts
                ! authenticated = *
                condition       = ${if eq{$acl_m2}{1}{yes}}
                message         = Still greylisted - please try again in 1 minute.
                log_message     = STILL GREYLISTED
        defer
                ! hosts         = +whitelist
                ! hosts         = +relay_from_hosts
                ! authenticated = *
                condition       = ${lookup mysql{GREYLIST_UPDATE}{no}{no}}
                message         = Greylist update failed
                log_message     = GREYLIST UPDATE FAILED
        require verify          = sender
        accept  hosts           = +spf_bypass
                spf             = fail
                logwrite        = SPF - REFLEXION $sender_host_address is OK for \
                                $sender_address_domain
        deny    message         = SPF - INCOMING $sender_host_address \
                                is not allowed to send mail from $sender_address_domain
                spf             = fail
        accept  domains         = +local_domains
                endpass
                message         = unknown user
                verify          = recipient
        accept  domains         = +relay_to_domains
                endpass
                message         = unrouteable address
                verify          = recipient


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################


begin routers

dnslookup_ccio:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_address_domain}{ccio.on.ca}{Yes}{No}}
transport = remote_smtp_ccio
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_owm:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_host_address}{127.0.0.1} {yes}{no}}
transport = remote_smtp_owm
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_local:
driver = dnslookup
domains = ! +local_domains
condition = ${lookup {$sender_address_domain} lsearch {/etc/virtual/domains} {yes}{no}}
transport = remote_smtp_local
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_bounce:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_address_local_part}{} {yes}{no}}
transport = remote_smtp_bounce
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_alias:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp_alias
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

spamcheck_router:
driver = accept
no_verify
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}\
{spam-scanned}}} {1}{0}}"
transport = spamcheck

virtual_alias:
driver = redirect
allow_defer
allow_fail
data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
condition = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases} {yes}{no}}
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

autoreply_router:
driver = accept
require_files = /home/$domain/mail/auto-replies/$local_part
transport = autoreply_transport
no_verify
unseen

virtual_localuser:
driver = accept
require_files = /etc/virtual/$domain/passwd
domains = /etc/virtual/domains
condition = ${lookup {$local_part} lsearch {/etc/virtual/$domain/passwd}{$value}}
transport = virtual_localdelivery

virtual_catchall:
driver = redirect
allow_defer
allow_fail
data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
condition = ${lookup {catchall}lsearch{/home/$domain/mail/aliases} {yes}{no}}
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
condition = ${lookup {$sender_helo_name} lsearch {/etc/virtual/domains}{YES}{NO}}
transport = local_delivery

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################
begin transports


remote_smtp_ccio:
        driver = smtp
        return_path_add = true
        interface = 207.112.4.160
        helo_data = webmail.ccio.on.ca


remote_smtp_owm:
        driver = smtp
        helo_data       = $sender_address_domain
#       interface       = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
        return_path_add = true


remote_smtp_local:
        driver          = smtp
#       interface       = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
        helo_data       = $sender_address_domain
        return_path_add = true


remote_smtp_alias:
        driver          = smtp
        helo_data       = $parent_domain
#       interface       = ${lookup dnsdb{a=${lookup dnsdb{mxh=$parent_domain}}}}
        return_path_add = true


remote_smtp_bounce:
        driver = smtp
        helo_data = ${lookup dnsdb{defer_never,ptr=$interface_address}{$value}{$primary_hostname}}
#       interface = $interface_address
        return_path_add = true


autoreply_transport:
driver = pipe
command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part

spamcheck:
driver = pipe
command = /usr/local/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
home_directory = "/tmp"
current_directory = "/tmp"
# must use a privileged user to set $received_protocol on the way back in!
user = mailnull
group = mailnull
log_output = true
return_fail_output = false
return_path_add
message_prefix =
message_suffix =

virtual_localdelivery:
driver = appendfile
create_directory = true
directory_mode = 700
file = /var/spool/virtual/${domain}/${local_part}
headers_remove = "Bcc"
return_path_add
user = ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
group = mail
mode = 660

local_delivery:
driver = appendfile
file = /$home/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
user = mailnull
group = mail
mode = 0660

address_pipe:
driver = pipe
return_output
user = me

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

# Domain               Error       Retries
# ------               -----       -------
*                      quota_7d
*                      quota       F,72h,1h;
*                      *           F,30m,1m; F,90m,5m; F,22h,30m; F,144h,60m


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


# There are no rewriting specifications in this default configuration file.

begin rewrite

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


# There are no authenticator specifications in this default configuration file.

begin authenticators

# For Netscape/Mozilla
plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = "${if and{ {!eq{$2}{}}{!eq{$3}{}} \
   {crypteq {$3} {${lookup {${local_part:$2}} lsearch \
                            {/etc/virtual/${domain:$2}/passwd}\
                            {$value} {*:*}}}} } {1}{0}}"
  server_set_id = $2


# For Outlook/Outlook Express
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if and{ {!eq{$1}{}}{!eq{$2}{}} \
   {crypteq {$2} {${lookup {${local_part:$1}} lsearch \
                            {/etc/virtual/${domain:$1}/passwd}\
                            {$value} {*:*}}}} } {1}{0}}"
  server_set_id = $1


# End of Exim configuration fileFrom t.baer@??? Wed Oct 28 21:12:31 2009
Envelope-to: exim-users@???
Received: from smtp1.dokom.net ([85.22.54.10]:39396)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.69)
    (envelope-from <t.baer@???>) id 1N3Foj-00016n-54
    for exim-users@???; Wed, 28 Oct 2009 21:12:31 +0000
Received: from dslnet.85-22-24.ip22.dokom.de ([85.22.24.22]
    helo±92.168.182.21]) by smtp1.dokom.net with esmtpa (Exim 4.66)
    (envelope-from <t.baer@???>) id 1N3Foi-0005Tk-GF
    for exim-users@???; Wed, 28 Oct 2009 22:12:28 +0100
Message-ID: <4AE8B3BC.70901@???>
Date: Wed, 28 Oct 2009 22:12:28 +0100
From: Torsten <t.baer@???>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: exim-users@???
X-Spam-Score: -2.1 (--)
X-Spam-Status: No, scoreÒ.1 required~0 tests÷L.613, BAYES_00Ñ.5,
    EXIM_ACLÑ.2, EXIM_EXP_VARÑ, HTML_30_40.374,
    HTML_MESSAGE.6 autolearnŠm version^1.8
X-Mailman-Approved-At: Thu, 29 Oct 2009 09:09:08 +0000
Content-Type: text/plain; charsetãO-8859-15; format\owed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.9
Subject: Re: [exim] Drop smtp connection before authentication
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¾subscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subjectŽlp>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¥bscribe>
X-List-Received-Date: Wed, 28 Oct 2009 21:12:31 -0000


Hi Dean,

this sounds really good.
Could you please describe how this works? for example: after 15 failures
the client ist blocked for 2 hours.
If you don`t mind, a sample configuration file would be really helpful.
Thank you very much.

Regards
Torsten


Dean Brooks wrote:
> Here's what we use to automatically control failed authentication
> attempts.
> If you have this in place, your server will automatically begin rejecting
> hosts that send repeated auth failure attempts.
>
> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> 15 failed attempts in 2 hours as the threshold.
>
> In the global config section of your config:
>
>    BADAUTH_LIMIT ?5 / 2h

>
>    acl_smtp_connect ?heck_connection
>    acl_smtp_quit ?heck_quit
>    acl_smtp_notquit ?heck_notquit

>
> In the ACL section of your config:
>
>    check_connection:
>        drop message   Too many failed authentication attempts
>             ratelimit ?ADAUTH_LIMIT / noupdate /
> badauth:$sender_host_address

>
>    check_quit:
>        accept condition ${if eq{$authentication_failed}{1}}
>               ratelimit ?ADAUTH_LIMIT / badauth:$sender_host_address

>
>    check_notquit:
>        accept condition ${if eq{$authentication_failed}{1}}
>               ratelimit ?ADAUTH_LIMIT / badauth:$sender_host_address

>
> We need the rate limiting portion in BOTH the "quit" and "notquit"
> sections
> for this to work properly, as you don't know how the connection will
> end up closing.
>
> You also don't want to put the ratelimiting in the RCPT or DATA section,
> because the connection will never get that far (they haven't
> authenticated!).
> You can't put it in the MAIL section either because, again, they haven't
> authenticated.
>
> Thought someone else might find this useful. Rate limits are fun. :)
>
> --
> Dean Brooks
> dean@???