Re: [exim] Frankenstein exim.conf

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: schmerold2@gmail.com
CC: exim-users
Subject: Re: [exim] Frankenstein exim.conf
On Wed, Apr 30, 2014 at 6:39 AM, schmerold2@???
<schmerold2@???> wrote:
> I have tweaked exim.conf so many times over the years, that I am concerned
> something(s) are completely disfunctional. For example I have been receiving
> spam from servers blacklist by mcafee & barracuda, reviewing the logs, I
> find neither blacklist has blocked any message.
>
> Comments on this situation are appreciated. My acl follows:


I had requested that he do an exim -bh ip.add.re.ss and post the
results here. He sent it only to me accidentally instead of to the
list. I did take a look at it and I see what the problem is.

> ############# ACCEPT SETTINGS#######################
> begin acl
>
> acl_check_rcpt:
> accept hosts = lsearch;/etc/exim/whitelist
> accept hosts = :
> deny local_parts = ^.*[@%!/|] : ^\\.
>
>   deny message   = HELO Policy Restriction: HELO is not an FQDN.
>      condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
>      condition = ${if match{$sender_helo_name}{\N[^.]\N}{no}{yes}}

>
>   accept domains = +relay_to_domains
>          endpass
>          message = relay not permitted at this server
>          verify = recipient


The above stanza accepts any email to a valid recipient at this point.
This is before the dnslists are even checked.

> accept hosts = +relay_from_hosts


The above stanza accepts email from those known hosts, regardless if
the recipient is invalid.

>   deny senders = :
>           condition     = ${if ! eq{$recipients_count}{1}{1}}
>           message       = Bounces must have only a single recipient
>           log_message   = Another denied due to backscatter-Single Recipient

>
> deny message = relay not permitted at this server


As another pointed out, nothing will EVER get past the above deny
because there are no limiting conditions. So the rest of the ACL
stanzas in this RCPT ACL after this point are NEVER used.

> deny message = rejected because $sender_host_address is in a black list at
> $dnslist_domain\n$dnslist_text


And if he removes the first one, the one right above will then block
it because it too has no conditions.

>   deny dnslists =
> zen.spamhaus.org/<;$sender_host_address;$sender_address_domain :\
>        cidr.bl.mcafee.com : bl.spameatingmonkey.net : bl.mailspike.net :
> dnsbl.sorbs.net : b.barracudacentral.org : bb.barracudacentral.org :
> psbl.surriel.com : \
>        hostkarma.junkemailfilter.com=127.0.0.2


Remove the word "deny" from above and that will fix the "deny message
with no conditions" problem above.

>   deny message = REJECTED - Sender Verify Failed and no RDNS
>        !verify = reverse_host_lookup
>        !verify = sender/callout=2m,defer_ok
>        !senders = +whitelist_senders
>        !condition =  ${if eq{$sender_verify_failure}{}}



Basically I think if you remove the first erroneous deny, fix the rbl
lookup stanza, and move the accept domains stanza down to the end I
think your system will start working the way you expect it to.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine