Re: [exim] Exim is forwarding spam.

Top Page
Delete this message
Reply to this message
Author: Chris Knadle
Date:  
To: exim-users
Subject: Re: [exim] Exim is forwarding spam.
On Saturday, June 30, 2012 13:17:05, Todd Lyons wrote:
> On Sat, Jun 30, 2012 at 9:57 AM, Chris Knadle <Chris.Knadle@???> wrote:
> > BTW are you doing any mail relaying? If you're relaying mail for any
> > domains, you can end up in Exim sending "backscatter spam" due to not
> > being able to validate the recipient of the email. I've come up with an
> > interesting solution for this situation which you might like if this is
> > the case.
>
> What are the details? "Interesting solution" implies something new or
> novel and I for one would like to see what you did.


Okay, then I'll explain it.

I don't necessarily think it's a new or novel solution, but I haven't yet seen
it elsewhere. [I expect someone else must be doing something similar.]

At first I considered doing a recipient callout, but this defeats the purpose
of being a mail relay because it requires the main mail server to be present
and online. The bottom line is that the backup mail server has to have some
way of authenticating recipient email addresses even when the main mail
server is offline.

To do this, I asked the administrator for the relay domain for the list of
valid email addresses. At first he didn't like this idea because it exposes
that information to me, but once I explained the reason I was asking for it
he understood and did so, along with a list of "blacklisted" email addresses.
He's using wildcard email addressing with '-' as the delimiter, and that's the
reason why the additional "blacklisted" addresses are necessary. Thankfully I
found it was not necessary to use wildcard addressing myself to be able to
deal with all of this. ;-)

The simple solution: email addresses from a particular domain are checked
against a regex of valid email addresses in a file that is named after the
domain name, and likewise with a blacklist file.


Exim4 configuration
----------------------------------
# (The domain names below are ficticious)
domainlist blacklist_filecheck_domains = example1.com
domainlist rcpt_checked_relay_domains = example1.com

acl_check_rcpt:

  #   deny relay_to_domains blacklisted recipients
  #   CONFDIR/local_recipient_blacklist holds a list of email addresses that should
  #   no longer have email accepted for them, but which need to be blocked explicitly
  #   due to wildcard email addresses being used that would normally accept the
  #   addresses.  Incoming messages with these recipients are blocked at RCPT time.
  deny
    domains     = +blacklist_filecheck_domains
    message     = unknown user
    condition   = ${lookup{$local_part@$domain}\
        nwildlsearch{CONFDIR/recipient_blacklists/$domain}\
        {yes}{no}}
    log_message = Address $local_part@$domain blocked
    delay       = 15s


  #   Relay only recipients found in recipient_relay_lists for relay_to_domains
  #   that are set to use it
  deny
    domains     = +rcpt_checked_relay_domains
    message     = unknown user
    !condition  = ${lookup{$local_part@$domain}\
        nwildlsearch{CONFDIR/recipient_relay_lists/$domain}\
        {yes}{no}}
    log_message = Address $local_part$domain unknown
    delay       = 15s
----------------------------------




/recipient_blacklists/example1.com
----------------------------------
virgil_earp@???
doc_holliday@???
----------------------------------


/recipient_relay_lists/example1.com
----------------------------------
abuse@???
root@???
notspam@???
postmaster@???
MAILER-DAEMON@???
billy_claiborne@???
^bclaiborne-.*@???
billy_clanton@???
^bclanton-.*@???
frank_mclaury@???
^fmclaury-.*@???
----------------------------------



Thusfar updates to email addresses have simply been sent over email because
they've been infrequent, but I've occasionally considered something more
easily updated by the relay domain administrator such as files copied via
rsync over ssh.

Also I originally implemented this idea in LDAP as a way of keeping the remote
domain addresses in sync, but the relay domain admin wasn't interested in
running LDAP so I opted for this simpler file-based solution, which has been
doing it's job very well IMHO.

-- Chris

--
Chris Knadle
Chris.Knadle@???