Ted Cooper [Exim-users] wrote: > On Wed, 22 Apr 2009 09:01:38 +0200, Heiko Schlittermann > <[email protected]> wrote: >> Mike Cardwell <[email protected]> (Mi 22 Apr 2009 00:18:54 >> CEST): >>> Heiko Schlittermann wrote: >>>> It depends on your ACL configuration. Always you can emply the >>>> $sender_host_address variable. Or you can use the 'hosts = ..' ACL >>>> item. >>> Your suggestion doesn't work. The IP of the connecting host is >>> irrelevant. It's the IP that a sender callout would connect back to that > >>> is relevant. >> True. You're right. (You told me what I'm telling other people, normally >> ...) Sorry for the noice. I should think twice before sending :-/ > > On that note, perhaps whitelisting based on domain is more sensible that > whitelisting based on IP addresses or a DNS lookup of the MX records. > Surely if one MX of a domain is taking assertive action against callouts, > then all of the other MX will too.
One (may) need both .. and more... Ex: /var/mail/filters/IP-white precludes rejection in acl_smtp_connect of a (very) few misconfigured-but-otherwise-legit sources with bad or missing PTR RR /var/mail/filters/VIP-pass adds a 'pass' for any of IP, $domain, and even mached sender and recipient 'sets' (lookup is, of necesity for that mix, a 'dumb' string match) /var/mail/filters/REGEXP-block blocks on HELO and/oir $domain IOW - each of these few files may be accessed in different ways at different points, and ordinarily are looked at several times. CAVEAT: this is not the most exim-efficient path - but it custs down the number of places the admin has to do editing or review. > > In regards to doing callouts - I don't use them except on suspect > yahoo|hotmail|aol|lycos|msn|gmail emails, such as those that don't come > from their own mail servers. I use 'forgery' detection logic on just over a dozen of the most-seen (or most commonly forged...) ISP's. For the past 2 or 3 years the hits on those have declined to the point I may simply remove them. Early rejection on rDNS fail seems to have wiped most off the radar. > For all other cases, either RDNS, HELO, > greylist, not-quit, or spamhaus has already taken care of them and those > that make it past that get killed off by header checks or SA. The wishy > washy answer of a callout - account does not exist on this server vs > account may exist on this server - just isn't that useful. > Possibility of irritating far-end operators quite aside, I'd go further and say it is a total waste of my resources as well as theirs by the time the other points you list have been looked at. OTOH - I've reached the same conclusion w/r greylisting after extensive running of a couple different versions, so 'YMMV'.. > callouts are also a listing criteria for ips.backscatterer.org which is a > bit of pain since I use that to get rid of the damn Russian servers that > insist on accepting emails pretending to be me even though I have SPF > records and then bounce the result back to me when they can't be delivered. > I have yet to see even ONE of those. OTOH, at last count, we have 68 Russian ISP's blocked outright, plus more than a few entire IP blocks in ipfw. ;-) Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
