Re: [exim] Whitelisting with MySQL

Mark Goodge wrote:
> Hi,
>
> This is possibly a bit of a numpty question, but if so please bear with
> me as I'm not an exim expert! Here's the background to the question:
>
> I work for an online retailer. We want to tighten up our anti-spam
> defences as it's wasting too much of the customer service team's time
> simply having to close the tickets it generates. However, we absolutely
> cannot afford even a single false-positive against the address of an
> actual customer.
>
> So, what we're planning to do is use a MySQL backend for whitelisting.
> When a customer places an order, the email address they supplied on the
> order is added to the database by the order processing system and the
> database is then in turn queried by exim in order to determine whether
> or not the address is whitelisted. If an address is whitelisted it is
> allowed straight through, no questions asked, if not then it goes
> through the usual RBL/greylisting/spamassassin/etc checks. (We are
> aware
> that this doesn't protect us against customers who have their webmail
> accounts hijacked or who are infected with viruses. This is a
> limitation
> we're willing to live with, as even stupid customers are still
> customers
> and we need to allow them to contact us).
>
> My question is, firstly, does this sound like a reasonable way of going
> about it? If not, is there a better way of doing it? And, if it is, how
> should I go about configuring exim to look up the whitelist table?
>
> Thanks
>
> Mark

We have a whitelist system here that allows individual users to create their own personal whitelists. It's broadly similar to what you're proposing, in that Exim queries a database at SMTP time to determine how the message should be processed.

One point to note is even whitelisting (in our system) doesn't bypass virus/malware checks (and rejection if found).

You might want to consider rate-limiting to reduce risks associated with a customer's PC becoming infected or hijacked.

Regards

Richard