--- On Sun, 7/12/09, Phil Pennock <[email protected]> wrote:
> From: Phil Pennock <[email protected]> > Subject: Re: [exim] Verifying that Spamhaus is working within Exim > To: "Alex Carver" <[email protected]> > Cc: [email protected] > Date: Sunday, July 12, 2009, 8:45 PM > On 2009-07-12 at 14:31 -0700, Alex > Carver wrote: > > New question: Now that I reconfigured and > reinserted support for Spamhaus, I haven't seen Exim block > an email even though I've seen plenty of emails coming in > from domains listed in zen.spamhaus.org > > > > Under acl_check_rcpt I have: > > > > deny > > message = X-Warning: > $sender_host_address is listed at $dnslist_domain > ($dnslist_value: $dnslis > > t_text) > > log_message = > $sender_host_address is listed at $dnslist_domain > ($dnslist_value: $dnslist_text) > > dnslists = zen.spamhaus.org > > Where do you have this within acl_check_rcpt? Note > that the ACL is > worked through in order, so unless you have this stanza > before the bit > which goes: > require message = relay not permitted > domains = +local_domains > : +relay_to_domains > then Exim won't get as far as checking that. The RBL segment happens to be below the part you quote so that explains that bit. I just hadn't seen a spamhaus block in so long I wondered if I had misconfigured it. > > Why do you have "X-Warning: " at the start of > message? It's an SMTP > refusal message, not a header, when you're in deny. It used to be a warn statement and I just forgot to remove X-Warning. > > You probably also want to add some exceptions to that, such > as a local > whitelist, for the times when someone you care about ends > up on an RBL. > Also "!authenticated = *"; eg, my home IP is a residential > cable-modem > IP and if I send mail via my colo server, I'll be using > authenticated > SMTP -- if you need to support remote workers, you'll want > to make sure > that they're not blocked based on source IP. (Hey, my > current home IP > is on zen, [127.0.0.10]). This happens to be my personal server but I have a static IP at home so I can send direct (ISP does not block) so I send directly out from here. I don't anticipate ever having an external user beyond perhaps running as a backup MX for someone but that just means they get added to the relay domain list instead. > > $ exim -d+acl -bh $bad_ip -bs > and type in raw SMTP. This is debugging with extra > debugging for ACLs > turned on. > This works very well, thanks. At least I now know that it's actually responding. > Myself, to help remote administrators debug mail delivery, > I have this > in my connect ACL (amongst other things): > accept !dnslists = [ some local whitelist > stuff ] > dnslists = > zen.spamhaus.org > message = > ${smtp_active_hostname} ESMTP - NO UCE NO UBE ${tod_log} > (UTC)\n\ > > WARNING: You are on RBL $dnslist_domain: > $dnslist_text\n\ > > Your mail will not be accepted > unauthenticated. > > The side-effect of multi-line SMTP responses causing > problems for flaky > clients is a side-benefit. > > -Phil > -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
