On 2023-04-20, Lance Lovette via Exim-users <exim-users@???> wrote:
>> There's a rational basis for an exception for 5xx before MAIL FROM,
>> when the target only has the connection parameters and HELO
>> name to use as a basis for rejection
>
> Unfortunately, Google, in the case of an outright IP-based block, doesn't
> reject the message until after DATA has been submitted.
>
> After wrestling with this for a few days, my solution to mitigate some
> fallout from host-based rejections is a router condition that allows me to
> easily avoid routing to problematic domains while the issue is resolved.
> (The router after this sends everything through the ESP.)
>
> FIRST_MX_HOST = ${extract{2}{ \n}{${lookup
> dnsdb{mx=$domain}{$value}}}{$value}fail}
> r_direct:
> driver = dnslookup
> transport = t_smtp
> domains = ! +local_domains
> condition = first_delivery
> condition = ${if !eq{$return_path}{}}
> condition = ${lookup
> {FIRST_MX_HOST}nwildlsearch{/etc/exim/force-esp-mxhosts}{false}{true}}
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>
> Two questions for the experts:
>
> - Is there a more efficient way to achieve this?
you could put the ip addresses in ignore target hosts instead.
> - Does Exim have a mechanism to invoke a script with rejected messages, so
> I can either re-send the message or add the host to my force-esp-mxhosts?
you can detect rejections using event_action
But it's not very easy to set up.
you setup event action as an ${acl... expansion and then in the acl branch according to
which event is happening.
When you detect a fake rejection you could then store the fact in a ratelimit.
the ratelimit can then be tested in the main delivery router (again via a
${acl... expansion) and a rateliomit failure used to skip that router.
Preventing the processing of the bounce is harder but you can do it by
arranging for the not-smtp ACL to return "drop" when it sees a bounce
from one of these messages - you'll probably need to pass some
details to this ACL in the headers of the bounce message so that
the ACL can know which trasport is producing the error..
Detecting the rejection and setting the ratelimit could also be done
here instead I guess.
This is tying exim up in knots, it will probably be fairly fragile.
--
Jasen.
🇺🇦 Слава Україні
