On 22. Februar 2014 20:00:31 MEZ, Viktor Dukhovni <exim-users@???> wrote:
>On Sat, Feb 22, 2014 at 12:10:49PM -0600, Matt wrote:
>
>> What if I want to block at connect time like right after HELO, EHLO
>or
>> even before that?
>
>Returning 5XX at connect time (server SMTP banner) is unwise:
>
> - Postfix and various other MTAs will by default treat a 5XX
> banner as a temporary error condition, and will queue and retry.
> The reason is historically flawed 5xx responses from some servers
> when they're overloaded.
>
> - You don't get to log the sender and intended recipients, so it is
> difficult to identify false positives in your logs when users
> report missing email.
>
>If you return a 5XX "EHLO" response, the first objection goes away,
>but the second remains. You should generally leave RBL processing
>at the RCPT TO stage, so you can log rejected recipients.
And I'm not sure, but I think, you should not block messages to postmaster. To achieve that, you have to wait for RCPT.
Rejecting with 5xx at SMTP connect is about the same as a TCP reject, as Viktor says, most MTA will retry later or at your fall back MX.
(But spam senders won't care, so probably it helps. Remains the postmaster issue as a reason to wait for the RCPT.)
--
Heiko Schlittermann (unterwegs)
