[exim] Per-ACL DNS lookup configuration?

Top Page

Reply to this message
Author: David North
Date:  
To: exim-users
Subject: [exim] Per-ACL DNS lookup configuration?
I have host-centric blacklisting in my acl_check_rcpt which looks a bit
like this:

deny
    message = sender IP address $sender_host_address is locally
blacklisted for this domain. If you think this is wrong, get in touch
with postmaster@$domain
    !acl = acl_local_deny_exceptions
    hosts = ${sg {${lookup sqlite{ /path/to/my/db.sqlite SELECT hostname
FROM blacklist WHERE domain = '$domain'; }}}{\n}{: }}


It's been working well for years, but recently a host foo.example.com on
my blacklist developed problems with its DNS servers resulting in a
SERVFAIL response to lookups for foo.example.com.

This in turn lead to all my incoming mail being deferred by exim -
extract from debug output:

>>> no IP address found for host foo.example.com (during SMTP connection

from (somewhere) [128.66.0.1])
>>> foo.example.com in dns_again_means_nonexist? no (option unset)
>>> host in "foo.example.com"? list match deferred for foo.example.com
>>> deny: condition test deferred in ACL "acl_check_rcpt"

451 Temporary local problem - please try later
LOG: H=(somewhere) [128.66.0.1] F=<foo@???> temporarily rejected
RCPT <bar@???>

Obviously, I don't want some spammer's inability to run a nameserver to
defer all my incomimg mail.

Digging into the manual, I see one possibility is to add foo.example.com
to the dns_again_means_nonexist list. This is domain-specific, though -
ideally, I'd like to be able to put something in the ACL to mean "DNS
lookup failures should be treated as a non-match for that entry in the
list". Is this possible?

Thanks,
David

--
David North | www.dnorth.net