Dennis
Verified User
Hi Jeff,
Here are my thoughts about the checks in the first part of the exim.conf. I am beginning at the "# Access Control Lists"-part. The info before the checks are well thought of and do not need te be changed, in my opinion.
I am not an email expert I am just looking through the process, all credits go to Jeff for setting this up in the first place
I am not going to copy and past the readme file so open it with this post: Readme and the exim.conf
Still I will begin at the beginning of email handling to make the process complete:
The very first thing of email is to make a connection with the email server and that is on ports 25 and/or 587. Host/IP lookup and RFC1413 are necessary to already prevent wrong communication and time consuming actions.
#EDIT25
The part where it counts starts here. These are the HELO messages the other server is sending. This is the second step otherwise there is no communication. So if this is bogus already, close the connection, which it does. I have read the post in the readme and the checks are all there so well thought of and no change.
#EDIT26
Check of recipients are needed now. The first check is illegal parts of the address. I think after this deny all other things first before checking any authentication. So the "# Deny all Mailer-Daemon messages not for us:" and "# Deny if the recipient doesn't exist:" before the authentication on port 587. If it is already a false address why authenticate it first?
The last check "# Remaining Mailer-Daemon messages must be for us" moves after #EDIT 42, after all the blacklist and whitelist checks are done. If it still is a Mailer-Daemon for us then deliver it. A customer of mine pointed out that the mail said it was blocked by spamlists but he still got it...I had no good explanation for that
#EDIT27
These HELO (EHLO) checks are done after the authentication in #EDIT26 so they need to be here and indeed they need to be checked immediately after the authentication on port 587.
#EDIT28
ClamAV is very nice to install and use it for your customers, they feel more "secure". I use ClamAV so this is needed to check the emails on malware or other bad things...before it does anything with it.(this is only a warning btw to domains that are skipped)
#EDIT29
Some checks on the address when it is send from scripts on your server. Very handy if accounts are hacked and the admin does not know about it.
#EDIT30
Check for sending over local SMTP. Does this mean it needs al the checks above? Maybe this can be placed in the beginning of the "acl_check_recipient:"? Still it is not necessary....
#EDIT31 and #EDIT32
No comments here, we need to check if the IP or address is whitelisted by the admins.
#EDIT33 and #EDIT34
Also no comment, check own blacklist first indeed to already deny the message or sender.
#EDIT35
This really helps for Dutch providers. Before this option I had a whitelist with almost all ISP's in the Netherlands. Still some are needed.
#EDIT36 and #EDIT37
Got this commented out, personal reasons. The right place tho.
#EDIT38
Why is this not a default? Can you explain a bit more Jeff? Is this because of webservers that only send mail but do not have a mailserver for example? Maybe this can be placed after #EDIT42?
#EDIT39 to #EDIT42
These blacklists are almost last in line. Maybe at #EDIT40 we can add more domains which send false emails like banks or something...
#EDIT42A
The quickfix for the "Mailer-Daemon messages that are for us". All checks are done and the mail is still here so accept it.
Conclusion
Really not much of changing in the checks. So I think it is well thought of. Maybe slight things can be done but overall it works like a charm.
Hope to get more reactions and thoughts about this so we can help Jeff.
Here are my thoughts about the checks in the first part of the exim.conf. I am beginning at the "# Access Control Lists"-part. The info before the checks are well thought of and do not need te be changed, in my opinion.
I am not an email expert I am just looking through the process, all credits go to Jeff for setting this up in the first place
I am not going to copy and past the readme file so open it with this post: Readme and the exim.conf
Still I will begin at the beginning of email handling to make the process complete:
The very first thing of email is to make a connection with the email server and that is on ports 25 and/or 587. Host/IP lookup and RFC1413 are necessary to already prevent wrong communication and time consuming actions.
#EDIT25
The part where it counts starts here. These are the HELO messages the other server is sending. This is the second step otherwise there is no communication. So if this is bogus already, close the connection, which it does. I have read the post in the readme and the checks are all there so well thought of and no change.
#EDIT26
Check of recipients are needed now. The first check is illegal parts of the address. I think after this deny all other things first before checking any authentication. So the "# Deny all Mailer-Daemon messages not for us:" and "# Deny if the recipient doesn't exist:" before the authentication on port 587. If it is already a false address why authenticate it first?
The last check "# Remaining Mailer-Daemon messages must be for us" moves after #EDIT 42, after all the blacklist and whitelist checks are done. If it still is a Mailer-Daemon for us then deliver it. A customer of mine pointed out that the mail said it was blocked by spamlists but he still got it...I had no good explanation for that
#EDIT27
These HELO (EHLO) checks are done after the authentication in #EDIT26 so they need to be here and indeed they need to be checked immediately after the authentication on port 587.
#EDIT28
ClamAV is very nice to install and use it for your customers, they feel more "secure". I use ClamAV so this is needed to check the emails on malware or other bad things...before it does anything with it.(this is only a warning btw to domains that are skipped)
#EDIT29
Some checks on the address when it is send from scripts on your server. Very handy if accounts are hacked and the admin does not know about it.
#EDIT30
Check for sending over local SMTP. Does this mean it needs al the checks above? Maybe this can be placed in the beginning of the "acl_check_recipient:"? Still it is not necessary....
#EDIT31 and #EDIT32
No comments here, we need to check if the IP or address is whitelisted by the admins.
#EDIT33 and #EDIT34
Also no comment, check own blacklist first indeed to already deny the message or sender.
#EDIT35
This really helps for Dutch providers. Before this option I had a whitelist with almost all ISP's in the Netherlands. Still some are needed.
#EDIT36 and #EDIT37
Got this commented out, personal reasons. The right place tho.
#EDIT38
Why is this not a default? Can you explain a bit more Jeff? Is this because of webservers that only send mail but do not have a mailserver for example? Maybe this can be placed after #EDIT42?
#EDIT39 to #EDIT42
These blacklists are almost last in line. Maybe at #EDIT40 we can add more domains which send false emails like banks or something...
#EDIT42A
The quickfix for the "Mailer-Daemon messages that are for us". All checks are done and the mail is still here so accept it.
Conclusion
Really not much of changing in the checks. So I think it is well thought of. Maybe slight things can be done but overall it works like a charm.
Hope to get more reactions and thoughts about this so we can help Jeff.
