On Sun, 15 Aug 2010 15:29:17 +0100, Dominic Hargreaves wrote:

> On Wed, Aug 04, 2010 at 01:00:19PM -0400, ylsdd wrote:
> > The 'greylistd-setup-exim4' script added a section 'deny' to 
> > /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.
> > 
> >  # Deny if blacklisted by greylist
> >  deny
> >    message = $sender_host_address is blacklisted from delivering \\
> >                      mail from <$sender_address> to <$local_p...@$domain>.
> >    log_message = blacklisted.
> >    !senders        = :
> >    !authenticated = *
> >    verify         = recipient/callout=20s,use_sender,defer_ok
> >    condition      = ${readsocket{/var/run/greylistd/socket}\\
> >                                  {--black \\
> >                                   $sender_host_address \\
> >                                   $sender_address \\
> >                                   $local_p...@$domain}\\
> >                                  {5s}{}{false}}
> > 
> > In this added section, recipient/callouts are performed without
> > verifying recipient's hostname. Thus, when spammers send to the
> > hosting server emails with recipient refering to other domains
> > that are not relayed, excessive and wrong recipient callouts will
> > be performed. The final results then include

> - did you consider removing the recipient callout verification in the
>   defer rule too? My reading of the config is that you'd need to remove
>   that too to have the desired effect, but your patch doesn't include it

The 'defer' stanza looks different:

#v+
  #
  defer
    message        = $sender_host_address is not yet authorized to deliver \\
                     mail from <$sender_address> to <$local_p...@$domain>. \\
                     Please try later.
    log_message    = greylisted.
    !senders       = :
    !hosts         = : +relay_from_hosts : \\
                     ${if exists {/etc/greylistd/whitelist-hosts}\\
                                 {/etc/greylistd/whitelist-hosts}{}} : \\
                     ${if exists {/var/lib/greylistd/whitelist-hosts}\\  
                                 {/var/lib/greylistd/whitelist-hosts}{}}
    !authenticated = *
    !acl           = acl_local_deny_exceptions
    domains        = +local_domains : +relay_to_domains
    verify         = recipient/callout=20s,use_sender,defer_ok
    condition      = ${readsocket{/var/run/greylistd/socket}\\
                                 {--grey \\                   
                                  %s \\
                                  $sender_address \\
                                  $local_p...@$domain}\\
                                 {5s}{}{false}}
#v-

i.e. there are more conditions, notably the 'domains = ' check.
Adding this to the 'deny' stanza might also be a solution.

> - I disagree with the security tag, and the severity, since I've had this
>   configuration running for quite some time and haven't experienced the
>   problems you describe (possibly because my antispam measures vary in
>   other ways). Therefore the problem demonstrably does not make the
>   package unusable.

Agreed, although I have to admit that I'm running it with domains= in deny :)


Cheers,
gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: R.E.M.: Man On The Moon

Attachment: signature.asc
Description: Digital signature

Reply via email to