On Sun, 15 Aug 2010 15:29:17 +0100, Dominic Hargreaves wrote: > On Wed, Aug 04, 2010 at 01:00:19PM -0400, ylsdd wrote: > > The 'greylistd-setup-exim4' script added a section 'deny' to > > /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt. > > > > # Deny if blacklisted by greylist > > deny > > message = $sender_host_address is blacklisted from delivering \\ > > mail from <$sender_address> to <$local_p...@$domain>. > > log_message = blacklisted. > > !senders = : > > !authenticated = * > > verify = recipient/callout=20s,use_sender,defer_ok > > condition = ${readsocket{/var/run/greylistd/socket}\\ > > {--black \\ > > $sender_host_address \\ > > $sender_address \\ > > $local_p...@$domain}\\ > > {5s}{}{false}} > > > > In this added section, recipient/callouts are performed without > > verifying recipient's hostname. Thus, when spammers send to the > > hosting server emails with recipient refering to other domains > > that are not relayed, excessive and wrong recipient callouts will > > be performed. The final results then include
> - did you consider removing the recipient callout verification in the > defer rule too? My reading of the config is that you'd need to remove > that too to have the desired effect, but your patch doesn't include it The 'defer' stanza looks different: #v+ # defer message = $sender_host_address is not yet authorized to deliver \\ mail from <$sender_address> to <$local_p...@$domain>. \\ Please try later. log_message = greylisted. !senders = : !hosts = : +relay_from_hosts : \\ ${if exists {/etc/greylistd/whitelist-hosts}\\ {/etc/greylistd/whitelist-hosts}{}} : \\ ${if exists {/var/lib/greylistd/whitelist-hosts}\\ {/var/lib/greylistd/whitelist-hosts}{}} !authenticated = * !acl = acl_local_deny_exceptions domains = +local_domains : +relay_to_domains verify = recipient/callout=20s,use_sender,defer_ok condition = ${readsocket{/var/run/greylistd/socket}\\ {--grey \\ %s \\ $sender_address \\ $local_p...@$domain}\\ {5s}{}{false}} #v- i.e. there are more conditions, notably the 'domains = ' check. Adding this to the 'deny' stanza might also be a solution. > - I disagree with the security tag, and the severity, since I've had this > configuration running for quite some time and haven't experienced the > problems you describe (possibly because my antispam measures vary in > other ways). Therefore the problem demonstrably does not make the > package unusable. Agreed, although I have to admit that I'm running it with domains= in deny :) Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `- NP: R.E.M.: Man On The Moon
signature.asc
Description: Digital signature