Re: [exim] Backscatter & Sender callouts.

Góra strony
Delete this message
Reply to this message
Autor: David Saez Padros
Data:  
Dla: Grant Peel
CC: exim-users
Temat: Re: [exim] Backscatter & Sender callouts.
Hi

i would not mind about being listed at ips.backscatterer.org,
in fact we use this list as a list of real mail servers to
avoid doing things like greylisting, etc ... on that hosts

> Hi all,
>
> I am having a problem with a server getting listed on ips.backscatterer.org.
>
> I have been researchng and reviewing the config shown below, but am not 'getting it'.
>
> I want to allow bounces to local addresses only.
>
> Also, I am not so sure I understand the verify / callback process vrs. the config below.
>
> If anyone cares to review it and comment, I would be greatful.
>
> -Grant
>
> ######################################################################
> #                    MAIN CONFIGURATION SETTINGS                     #
> ######################################################################
> primary_hostname = thishost.mydomain.com
> domainlist local_domains = /etc/virtual/domains
> domainlist filtered_domains = /etc/virtual/filtered_domains
> hostlist filtering_hosts = /etc/virtual/filtering_hosts
> domainlist relay_to_domains =
> hostlist relay_from_hosts = /etc/virtual/domains
> hostlist blacklisted_domains = /etc/virtual/blacklist
> hostlist spf_bypass = /etc/virtual/spf_bypass
> hostlist whitelist = /etc/virtual/whitelist
> acl_smtp_rcpt = acl_check_rcpt
> trusted_users = mailnull:root:webmail:www
> exim_user = mailnull
> exim_group = mail
> never_users =
> host_lookup = *
> rfc1413_hosts = *
> rfc1413_query_timeout = 5s
> ignore_bounce_errors_after = 0s
> timeout_frozen_after = 0s
> auto_thaw = 6h
> return_path_remove
> untrusted_set_sender = *
> helo_allow_chars = _
> daemon_smtp_ports = 25 : 109 : 587
> bounce_message_file = /usr/local/etc/exim/bounce_message_file
> warn_message_file = /usr/local/etc/exim/warn_message_file
> return_size_limit = 10000
> bounce_return_message = false
> delay_warning = 72h
> smtp_accept_max = 100
> smtp_accept_max_per_host = 10
> smtp_return_error_details = yes
> log_selector = +incoming_interface +deliver_time +delivery_size +received_sender \
> +received_recipients +sender_on_delivery +subject +address_rewrite +all_parents

>
> # log_selector = +all
> #
> # My Attempt at greylisting
> #
>
> hide mysql_servers = localhost/exim_db/exim/password:
>
> GREYLIST_TEST = SELECT IF(NOW() > block_expires, 2, 1) \
>                 FROM exim_greylist \
>                 WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
>                 AND from_domain = '${quote_mysql:$sender_address_domain}' \
>                 AND record_expires > NOW()

>
> GREYLIST_ADD  = INSERT INTO exim_greylist \
>                 SET relay_ip = '${quote_mysql:$sender_host_address}', \
>                 from_domain = '${quote_mysql:$sender_address_domain}', \
>                 block_expires = DATE_ADD(NOW(), INTERVAL 1 MINUTE), \
>                 record_expires = DATE_ADD(NOW(), INTERVAL 14 DAY), \
>                 origin_type = 'AUTO', \
>                 create_time = NOW()

>
> GREYLIST_UPDATE = UPDATE exim_greylist \
>                 SET record_expires = DATE_ADD(now(), INTERVAL 14 DAY) \
>                 WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
>                 AND from_domain = '${quote_mysql:$sender_address_domain}' \
>                 AND record_expires > NOW()

>
> ######################################################################
> #                       ACL CONFIGURATION                            #
> #         Specifies access control lists for incoming SMTP mail      #
> ######################################################################

>
> begin acl
>
> acl_check_rcpt:
>         accept  hosts           = :
>         deny    local_parts     = ^.*[@%!/|] : ^\\.
>         accept  authenticated   = *
>                 endpass
>         accept  hosts           = +relay_from_hosts
>                 endpass

>
> ############################################################################################
> # Mail is being rejected on some hosts because the mail MX is only set to a mail filtering system
> # and our server is rejecting it because some mail servers see the lesser priorty
> # MX and try to oour server directly instead of going though the mail filtering system.
> # UPDATE: All secondary MXs removed from DNS zones. Reenabled monday Oct 5 2009.
>         accept  domains         = +filtered_domains
>                 hosts           = +filtering_hosts
>                 verify          = recipient
>         deny    message         = Please use the public MX server for the domain $domain
>                 domains         = +filtered_domains
>                 hosts           = !+filtering_hosts
> ###########################################################################################

>
>         deny    senders         = :
>                 condition       = ${if > {$recipients_count}{2}{1}}
>                 message         = Bounces must have only a single recipient
>                 log_message     = BACKSCATTER - RECIPIENTS $recipients_count
>         deny    message         = rejected because $sender_host_address was \
>                                 found in our blacklist
>                 hosts           = +blacklisted_domains
>                 log_message     = BLACKLISTED DOMAIN FOUND IN $blacklisted_domains
>         deny
>                 ! condition    = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}}
>                 log_message    = NO PTR [rDNS] FOUND FOR $sender_host_address
>                 message        = We do not accept mail from hosts with missing \
>                                 or incorrect rDNS.
>         deny    senders         = :
>                 ! hosts         = +whitelist
>                 dnslists        = ips.backscatterer.org
>                 message         = This message looks like a bounce, and your server is listed at \
>                                 ips.backscatterer.org, so I assume that this is "backscatter". \
>                                 Please configure your mail server to not send "backscatter spam". \
>                                 For advice, try http://www.dontbouncespam.org/
>                 log_message     = BACKSCATTER - INCOMING
>                 warn set acl_m2 = ${lookup mysql{GREYLIST_TEST}{$value}{0}}
>         defer   ! hosts         = +whitelist
>                 ! hosts         = +relay_from_hosts
>                 ! authenticated = *
>                 condition       = ${if eq{$acl_m2}{0}{yes}}
>                 condition       = ${lookup mysql{GREYLIST_ADD}{yes}{no}}
>                 message         = Now greylisted - please try again in 1 minute.
>                 log_message     = ADDING TO GREYLIST
>         defer   ! hosts         = +whitelist
>                 ! hosts         = +relay_from_hosts
>                 ! authenticated = *
>                 condition       = ${if eq{$acl_m2}{1}{yes}}
>                 message         = Still greylisted - please try again in 1 minute.
>                 log_message     = STILL GREYLISTED
>         defer
>                 ! hosts         = +whitelist
>                 ! hosts         = +relay_from_hosts
>                 ! authenticated = *
>                 condition       = ${lookup mysql{GREYLIST_UPDATE}{no}{no}}
>                 message         = Greylist update failed
>                 log_message     = GREYLIST UPDATE FAILED
>         require verify          = sender
>         accept  hosts           = +spf_bypass
>                 spf             = fail
>                 logwrite        = SPF - REFLEXION $sender_host_address is OK for \
>                                 $sender_address_domain
>         deny    message         = SPF - INCOMING $sender_host_address \
>                                 is not allowed to send mail from $sender_address_domain
>                 spf             = fail
>         accept  domains         = +local_domains
>                 endpass
>                 message         = unknown user
>                 verify          = recipient
>         accept  domains         = +relay_to_domains
>                 endpass
>                 message         = unrouteable address
>                 verify          = recipient

>
> ######################################################################
> #                      ROUTERS CONFIGURATION                         #
> #               Specifies how addresses are handled                  #
> ######################################################################
> #     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
> # An address is passed to each router in turn until it is accepted.  #
> ######################################################################

>
> begin routers
>
> dnslookup_ccio:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_address_domain}{ccio.on.ca}{Yes}{No}}
> transport = remote_smtp_ccio
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_owm:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_host_address}{127.0.0.1} {yes}{no}}
> transport = remote_smtp_owm
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_local:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${lookup {$sender_address_domain} lsearch {/etc/virtual/domains} {yes}{no}}
> transport = remote_smtp_local
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_bounce:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_address_local_part}{} {yes}{no}}
> transport = remote_smtp_bounce
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_alias:
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp_alias
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> spamcheck_router:
>    driver = accept
>    no_verify
>    condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}\
>    {spam-scanned}}} {1}{0}}"
>    transport = spamcheck

>
> virtual_alias:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
> domains = /etc/virtual/domains
> require_files = /home/$domain/mail/aliases
> condition = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases} {yes}{no}}
> qualify_preserve_domain
> retry_use_local_part
> check_ancestor
> one_time
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
>
> autoreply_router:
> driver = accept
> require_files = /home/$domain/mail/auto-replies/$local_part
> transport = autoreply_transport
> no_verify
> unseen
>
> virtual_localuser:
> driver = accept
> require_files = /etc/virtual/$domain/passwd
> domains = /etc/virtual/domains
> condition = ${lookup {$local_part} lsearch {/etc/virtual/$domain/passwd}{$value}}
> transport = virtual_localdelivery
>
> virtual_catchall:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
> domains = /etc/virtual/domains
> require_files = /home/$domain/mail/aliases
> condition = ${lookup {catchall}lsearch{/home/$domain/mail/aliases} {yes}{no}}
> qualify_preserve_domain
> retry_use_local_part
> check_ancestor
> one_time
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
>
> localuser:
> driver = accept
> check_local_user
> condition = ${lookup {$sender_helo_name} lsearch {/etc/virtual/domains}{YES}{NO}}
> transport = local_delivery
>
> ######################################################################
> #                      TRANSPORTS CONFIGURATION                      #
> ######################################################################
> #                       ORDER DOES NOT MATTER                        #
> #     Only one appropriate transport is called for each delivery.    #
> ######################################################################
> begin transports

>
> remote_smtp_ccio:
>         driver = smtp
>         return_path_add = true
>         interface = 207.112.4.160
>         helo_data = webmail.ccio.on.ca

>
> remote_smtp_owm:
>         driver = smtp
>         helo_data       = $sender_address_domain
> #       interface       = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
>         return_path_add = true

>
> remote_smtp_local:
>         driver          = smtp
> #       interface       = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
>         helo_data       = $sender_address_domain
>         return_path_add = true

>
> remote_smtp_alias:
>         driver          = smtp
>         helo_data       = $parent_domain
> #       interface       = ${lookup dnsdb{a=${lookup dnsdb{mxh=$parent_domain}}}}
>         return_path_add = true

>
> remote_smtp_bounce:
>         driver = smtp
>         helo_data = ${lookup dnsdb{defer_never,ptr=$interface_address}{$value}{$primary_hostname}}
> #       interface = $interface_address
>         return_path_add = true

>
> autoreply_transport:
> driver = pipe
> command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part
>
> spamcheck:
> driver = pipe
> command = /usr/local/sbin/exim -oMr spam-scanned -bS
> use_bsmtp = true
> transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
> home_directory = "/tmp"
> current_directory = "/tmp"
> # must use a privileged user to set $received_protocol on the way back in!
> user = mailnull
> group = mailnull
> log_output = true
> return_fail_output = false
> return_path_add
> message_prefix =
> message_suffix =
>
> virtual_localdelivery:
> driver = appendfile
> create_directory = true
> directory_mode = 700
> file = /var/spool/virtual/${domain}/${local_part}
> headers_remove = "Bcc"
> return_path_add
> user = ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
> group = mail
> mode = 660
>
> local_delivery:
>    driver = appendfile
>    file = /$home/mail/$local_part
>    delivery_date_add
>    envelope_to_add
>    return_path_add
>    user = mailnull
>    group = mail
>    mode = 0660

>
> address_pipe:
> driver = pipe
> return_output
> user = me
>
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
>
> address_reply:
> driver = autoreply
>
> ######################################################################
> #                      RETRY CONFIGURATION                           #
> ######################################################################

>
> begin retry
>
> # Domain               Error       Retries
> # ------               -----       -------
> *                      quota_7d
> *                      quota       F,72h,1h;
> *                      *           F,30m,1m; F,90m,5m; F,22h,30m; F,144h,60m

>
> ######################################################################
> #                      REWRITE CONFIGURATION                         #
> ######################################################################

>
> # There are no rewriting specifications in this default configuration file.
>
> begin rewrite
>
> ######################################################################
> #                   AUTHENTICATION CONFIGURATION                     #
> ######################################################################

>
> # There are no authenticator specifications in this default configuration file.
>
> begin authenticators
>
> # For Netscape/Mozilla
> plain:
>   driver = plaintext
>   public_name = PLAIN
>   server_condition = "${if and{ {!eq{$2}{}}{!eq{$3}{}} \
>    {crypteq {$3} {${lookup {${local_part:$2}} lsearch \
>                             {/etc/virtual/${domain:$2}/passwd}\
>                             {$value} {*:*}}}} } {1}{0}}"
>   server_set_id = $2

>
> # For Outlook/Outlook Express
> login:
>   driver = plaintext
>   public_name = LOGIN
>   server_prompts = "Username:: : Password::"
>   server_condition = "${if and{ {!eq{$1}{}}{!eq{$2}{}} \
>    {crypteq {$2} {${lookup {${local_part:$1}} lsearch \
>                             {/etc/virtual/${domain:$1}/passwd}\
>                             {$value} {*:*}}}} } {1}{0}}"
>   server_set_id = $1

>
> # End of Exim configuration file


--
Salu-2 y hasta pronto ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       telf    +34 902 50 29 75
----------------------------------------------------------------