SpamBlocker-Powered exim.conf, Version 4

How do you know it's not working? Have you looked in your /var/log/rejectlog?

Did you add and configure the files required in /etc/virtual ?

Note that while I can certainly help you troubleshoot as a service, it would be less expensive to have me install the package. Then you can do a diff on my install vs yours.

Information here (nobaloney.net).

Jeff
 
I noted some mobile clients use the IP address in the HELO, and so if the check is enabled they are blocked before they authenticate.
I fixed this adding a "condition = ${if eq{$interface_port}{25}}" in the acl_check_helo:

Code:
# deny if the HELO is an IP address
    deny message = HELO is an IP address (See RFC2821 4.1.3) - Please use port 587 for auth
         [B]condition   = ${if eq{$interface_port}{25}}[/B]
         condition   = ${if isip{$sender_helo_name}}

In this way if they use port 587 they are not blocked.
 
Good idea. I'll soon be starting a section here (perhaps just a thread, perhaps a subforum) for the next version of SpamBlocker exim.conf. Please put the suggestion when I open it up for suggestions.

Thanks.

Jeff
 
I noted some mobile clients use the IP address in the HELO, and so if the check is enabled they are blocked before they authenticate.
I fixed this adding a "condition = ${if eq{$interface_port}{25}}" in the acl_check_helo:

Code:
# deny if the HELO is an IP address
    deny message = HELO is an IP address (See RFC2821 4.1.3) - Please use port 587 for auth
         [B]condition   = ${if eq{$interface_port}{25}}[/B]
         condition   = ${if isip{$sender_helo_name}}

In this way if they use port 587 they are not blocked.

Thanks a lot.

If not this line in your config file, Android 3.0 users can't setup their mails.
It fixes the "Server unexpected error", "Connection Error" on Android (3.0) devices.
 
Don't forget to post this when I ask for suggestions for the next version of SpamBlocker.

Jeff
 
Hi All, I'm receiving spam mails from a same domain lately, I'll block it but I want figure out how it passes those filters first. Spamassassin thinks it's a local mail so the score is always below zero but I believe spamblocker denies hosts pretending to be my host.

I'm using spamblocker 4.1. I pasted the header below so can you tell me if it passes the spamblocker or it's just dumb spamassassin?
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 16 Mar 2012 11:35:15 +0200
Received: from mail by myhost.mydomain.com with spam-scanned (Exim 4.73)
(envelope-from <[email protected]>)
id 1S8TYz-0005Ve-KZ
for [email protected]; Fri, 16 Mar 2012 11:35:15 +0200
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on myhost.mydomain.com
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=3.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FROM_LOCAL_NOVOWEL,HK_RANDOM_ENVFROM,HTML_MESSAGE,
MISSING_MID,RP_MATCHES_RCVD,SPF_NEUTRAL autolearn=no version=3.3.2
Received: from m5-81.konuk.net ([184.173.135.81])
by myhost.mydomain.com with esmtp (Exim 4.73)
(envelope-from <[email protected]>)
id 1S8TYz-0005VO-6q
for [email protected]; Fri, 16 Mar 2012 11:35:09 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=knet; d=konuk.net;
h=Subject:MIME-Version:Date:Sender:To:Content-Type:From:List-Unsubscribe;
bh=/+kl0GqQhSJ1UmL5YllGhPFWG6+u8ILPoQBi8w6rfBk=;
b=rUXb8LJUWdpLI9Fd4Q3xIWdQvdYFfd1ik5mt46/F2ejokmbEMoHpGUJgoz2XNUPZo66QprEyDx0M
/NtEa4rBm43qRIuZsc3S3IZDQFSD6lCDSOCHjdH4MlFLRsE1T9qQDgjLP+PVruaX4nxLyQM+Kch7
Iw9k0PXUb27Qm4MDeF4=
X-RCPT-To: "[email protected]"
Subject: re:
MIME-Version: 1.0
Date: Fri, 16 Mar 2012 11:35:59 +0200
X-Mailer-SenderId: TC8mGg
Sender: [email protected]
To: "[email protected]"@myhost.mydomain.com
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00klrsU0_275wrcqG8nScdug3g6Tq75.26mlV0fH7kcTdf879"
From: "=?iso-8859-9?B?YmFrYXIgbf1z/W4gPw==?=" <[email protected]>
List-Unsubscribe: <http://www.konuk.net/system/[email protected]&aid=JfWPCc&lang=Tr&m=209>,<mailto:[email protected][email protected]>
Errors-To: "[email protected]"
Message-Id: <[email protected]>

Also this konuk.net domain is a spammer, they even have a website which tells that they can send spam mails for your for a price. But their ip addresses and domain are clean on blacklist, how could this happen?

Thanks
 
Last edited:
If it's on your server it's passed SpamBlocker, SpamBlocker refuses to accept emails from hosts classified as sending spam by the various RBLs it uses.

SpamBlocker blocks only on sender reputation and it's effectiveness changes from time to time. Are you using my latest version? If so have you enabled all the RBLs?

The reason we have the local blacklists and whitelists is specifically you can add a server or sender.

Jeff
 
Thanks Jeff, I believe it's the latest, version 4.1, and I enabled all RBLs, but the thing here that I can't believe is this domain publishes itself as relay smtp service which sends spam mails for its clients and it's still not in any of these RBLs. Is there a way to make it listed?

Also in this e-mail header, which is delivered without any blocks, spamassassin marked it as a local delivery. I'm checking spamblocker's exim.conf file and at the EDIT 25 section, it seems like it has the ability to block if HELO pretends to be my host. Is it possible it can get confused?
 
I'm sorry, I feel stupid, I was rechecking spamassassin rules and I realized that I've confused FROM_LOCAL_NOVOWEL with FROM_LOCAL, that's why I though it was a local delivery and has a minus score. I'm sorry for bothering.
 
About larger emails + attachments...

It seems like when u set message_size_limit = 100M in exim.conf
and use ClamAV and you set the scan-limit to 1000K (condition = ${if >={$message_size}{1000k} {1}{0}}) in exim.conf , the email still goes through clamd.

Because if u don't set the StreamMaxLength in clamd.conf equal to message_size_limit in exim.conf it generates errors like:
in receiving mail server log
2012-05-03 16:36:59 1SPx9M-0002GW-5Y malware acl condition: clamd: unable to send file body to socket (127.0.0.1:3310)
2012-05-03 16:36:59 1SPx9M-0002GW-5Y H=blablabla [123.456.789.110] F=<bla@blablabla> temporarily rejected after DATA
and in clamd.log
WARNING: INSTREAM: Size limit reached, (requested: 30305991, max: 26214400)
and in mail log on sending email server
2012-05-03 12:54:06 SMTP error from remote mail server after end of data: host blablabla [789.456.123.112]: 451 Temporary local problem - please try later
2012-05-03 12:54:06 [email protected] <[email protected]> R=lookuphost T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host blablabla [123.456.789.110]: 451 Temporary local problem - please try later


But why would exim still send the email through clamd if the email is larger than the 1000K anyway ?


This was both a question and a howto fix these errors for those who need it ;)
 
I don't know. Perhaps you can check it by setting extremely low limits (in bytes), and then using exim -bh to simulate a message and see what's triggered.

Jeff
 
I did search, but wanted to make sure.

I've just change to 4.1, and some clients are complaining about not being able to send mail using Outlook. Seems that the HELO response is to blame:
eg
2012-07-25 09:19:08 H=114.xxx.189.80.dyn.plus.net (JackiePC) [80.189.176.xxx] F=<office@xxxx> rejected RCPT <[email protected]>: R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
2012-07-25 09:19:11 H=114.xxx.dyn.plus.net (JackiePC) [80.189.176.xxx] incomplete transaction (QUIT) from <office@xxxxxx>

So, do I advise them to use port 587 (going by #4 in http://www.directadmin.com/forum/showthread.php?t=36481&page=1 )?
 
How do you tell what port is used? As this client says they are still getting the "HELO should be a FQDN or address literal" even on port 587.
I guess going by the logs, this "P=esmtpa" determines the port and/or authentication? As that goes through ok.
 
If the worst comes to the worst, apart from more spam getting through, are there any other drawbacks in removing this check to allow anyone on port 25?
 
Well, im not totally sure but would be allow everyone to send form you server, so, you would be an open relay and you would be set as "spammer" ip soon.

Maybe im wrong, wait for other reply/confirmation about that.

Regards
 
I mean a more relaxed HELO condition, sorry, had a bad day, didn't explain clearly. That's if you can? Although, I see !authenticated = * in the helo acls, so there's no way not to use port 587, unless like me, connections have a valid ptr/rDNS record (I can send via port 25 no problems).
 
Last edited:
Back
Top