email processing order

B

Bschneider

Verified User
Joined
Sep 22, 2007
Messages
20
I am using RBL in combination with Spam Assassin to prevent spam. It looks like when an email is received it checks RBL first, then checks to see if the email recipient is valid, then Spam Assassin process it. If all three check out, then the email is delivered into the user inbox.

I was wondering what I needed to do to have Exim check to see if the email recipient is valid first and foremost. If it is then proceed to check the RBLs and then Spam Assassin. By checking the recipient first I can probably eliminate some bandwidth and processing that it needs to check the RBLs against.
 
There's probably a way to do it, but I don't know it, and I'm the guy who writes/maintans exim.conf (at least for now :)).

Our exim.conf file checks for users at the router level. The ACLs (including blocklists) need to come before the routers. If you or someone else knows an easy way to do the check before the router level, let me know, and I'll look into it.

Jeff
 
Thanks Jeff for the response.

I found this while searching for a solution. It looks like someone else asked the same thing (on a different forum) a couple of years ago. Problem is I am not quite sure where to begin....

http://forums.rvskin.com/index.php?showtopic=1114

It appears that it needs a verify receipt somewhere..

Code: 
!verify = recipient
 
Last edited:
I think I found the issue and the simple solution. I've implemented and so far so good.. please let me know what you think. Perhaps you can put the change in your master exim.conf?

Somewhat original code.. the exception is the RBL section. Ive combined all of them into one ..and used ${dnslist_text} instead of a custom message.

Code: 
# Next deny stuff from more "fuzzy" blacklists
# but do bypass all checking for whitelisted host names
# and for authenticated users

# deny using RBL lists
  deny message = ${dnslist_text}
       hosts = !+relay_hosts
       domains = +use_rbl_domains
       !authenticated = *
       dnslists = cbl.abuseat.org : b.barracudacentral.org : bl.spamcop.net

# accept if address is in a local domain as long as recipient can be verified
  accept  domains = +local_domains
          endpass
          message = "Unknown User"
          verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
  accept  domains = +relay_domains
          endpass
          verify=recipient

So I just swapped the sections..

Code: 
# accept if address is in a local domain as long as recipient can be verified
  accept  domains = +local_domains
          endpass
          message = "Unknown User"
          verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
  accept  domains = +relay_domains
          endpass
          verify=recipient

# Next deny stuff from more "fuzzy" blacklists
# but do bypass all checking for whitelisted host names
# and for authenticated users

# deny using RBL lists
  deny message = ${dnslist_text}
       hosts = !+relay_hosts
       domains = +use_rbl_domains
       !authenticated = *
       dnslists = cbl.abuseat.org : b.barracudacentral.org : bl.spamcop.net

Now so far, as i am tailing my mainlog, I see all of the invalid emails being blackholed. I continue this for a few days to see if I have any issues.
 
eureka! I believe I have it this time.. and it is what I thought it was in the beginning.. !verify = recipient.. and yes it would have worked with the swapping of the sections in my first try but I forgot I needed the Catch all set to Fail.


Code: 
# check to see if the recipient is valid
  deny domains = +local_domains
        !verify = recipient

This above lines are placed just below the following:

Code: 
# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
  deny  domains       = +local_domains
        local_parts   = ^[.] : ^.*[@%!/|]
 
Last edited:
Bschneider said:
Now so far, as i am tailing my mainlog, I see all of the invalid emails being blackholed. I continue this for a few days to see if I have any issues.
Click to expand...
It looks to me that what you're doing is accepting all email before you're even checking blocklistgs, if the recipient exists.

Jeff
 
Bschneider said:
eureka! I believe I have it this time.. and it is what I thought it was in the beginning.. !verify = recipient.. and yes it would have worked with the swapping of the sections in my first try but I forgot I needed the Catch all set to Fail.
Click to expand...
Let it run a week and then bring it to my attention.

Thanks!

Jeff
 
Thanks. I'll give it a try on my personal testbed. Remind me in another week and I'll implement it if it hasn't given me any problems.

:)

Jeff
 
How did it go with your test bed?

So far I implemented it on two of our servers and no issues on either of them, as far as I have noticed. :)
 
Jeff, under an alternative identity here.

I've just added it to my personal release candidate file today.

Jeff
 
Been running it as part of our new RC for twenty-four hours; I'll be adding the new RC to my downloads page, and announcing it, this evening (my time). Hopefully by the weekend we'll have a new version out.

Jeff
 
You must log in or register to reply here.
Back
Top