On 27/12/17 18:20, Sebastian Arcus via Exim-users wrote:
>
> On 27/12/17 16:49, Jeremy Harris wrote:
</snip>
>>
>> Do the lookup manually, with a ${lookup dnsdb ...} expansion;
>> you then have more control. Treat the ACL flow as a programming >
>> language.
>
> That's a good pointer - I will investigate that avenue - thank you.
In case it helps anyone else, I ended up with the following acl to drop
after a long wait any connection which doesn't have a reverse dns record
(or where the PTR dns query gets deferred). Note that I only do this on
port 25, for MTA-to-MTA connections. I also have other settings in place
to prevent any MUA trying to use port 25 for AUTH. Also note that this
could end up starving the server of resources and inflicting a DOS
attack on yourself, if it is a busy server under heavy attack with a lot
of open connections hanging. Luckily most spambots seems to give up
quite quickly, and I also have configs in place to limit the number of
incoming connections and drop them immediately if the limits have been
reached.
drop message = Reverse DNS record incorrect or missing
condition = ${if eq{$received_port}{25}}
! condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address} \
{yes}{no}}
delay = 20m
Thank you for all the pointers in this thread!
