Randy Bush wrote: >> The general rule (not just with Exim) is to work on the minority case - >> IOW the forgery, the 'lie', the just-plain-wrongness. > > dunno what your severs see, but in my universe, the forgery is by far > the majority. so i want to immediately accept the real and then fall > into the dnsbls. > > randy >
They are only '...far the majority...' because you have decided not to reject obvious zombies earlier - at acl_smtp_connect. A caller that *survives* forward/reverse DNS lookup, who HAS a PTR RR, who is NOT in a dynamic-IP RBL, who THEN ALSO fails a HELO to FQDN test is less common than a zombie (which ordinarily fails all of these). Such a HELO mismatch is usually due to DNS and/or MTA misconfigured due to ignorance or HIRD - not really a 'forgery' per se. Ex: NetWork Solutions et al who can't be bothered to insure that their contract MTA-vendors consistently keep DNS records up to date. IOW, most days, they appear to 'forge' themselves connect from a .net IP but ID as a .com, not assign PTR RR to their outbound 'pool' that remotely match their HELO, etc. If you want 'immediate' onpassing, you'll need something like lookups against /var/mail/IP-pass or /var/mail/VIP lists, AND setting a flag in acl_smtp_connect, AND testing that flag again in each acl_smtp phase thereafter (that you feel safe skipping, anyway). Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
