| Recently somebody misused one of the accounts on my mail server to
| send out large amounts of spam. Reading the logs, it came all from a
| single IP address, in a single SMTP connection.
|
| I found the following log line:
|
| no immediate delivery: more than 10 messages received in one
| connection
|
| Do I understand it correctly that Exim decided to no longer try to
| deliver e-mails on the same originating SMTP connection and report any
| failures immediately, but instead blindly accept all incoming e-mails
| and report each failure with a "Mail delivery failed" message in the
| poor user's inbox?
I want to clarify what Exim is doing here, to add to other people's
excellent answers.
Exim always does however much verification of the SMTP-time
conversation as you tell it to in your configuration, but it also
never[*] defers the SMTP conversation for incoming email until the
incoming message is full delivered to all destinations. So Exim will
always accept incoming email without being fully certain that it is
good. The 'immediate delivery' Exim is talking about here is a delivery
attempt that is normally started immediately after Exim has fully
accepted the message.
If you're dealing with end user MUAs you almost certainly don't
actually want Exim to effectively act as a SMTP proxy because it's very
likely that MUAs will not deal gracefully with things an MTA would have
to do in that mode (such as defer some but not all recipients of a
message). As other people have said, ratelimiting is what you really
want and need.
- cks
[*: the half exception is 'cutthrough delivery' in current versions of
Exim; see the discussion of 'control = cutthrough_delivery' in the
ACL documentation,
http://exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
Note that this comes with a huge list of caveats and restrictions.
]