SpamBlocker-Powered exim.conf, Version 4

[nobaloney]

I didn't find in version 4

acl_connect:
accept hosts = *
delay = 3s - this line

is there a reason?

I don't see that anywhere in either my latest SpamBlocker version 4.1, or in the older one distributed by DirectAdmin. Where did you get your file?

Jeff

 

[interfasys]

It used to be there in v3, but it's best to split that rule in two:
- 3s delay for unknown senders
- no delay for authorized senders

 

[nobaloney]

Why is it helpful at all? Does it cause servers to drop and resend? Or just delay busy servers trying to do their jobs?

And how would you define an authorized sender?

There's got to be a reason why I dropped it; maybe it's because I thought it wasn't helpful.

So help me here .

Thanks.

Jeff

 

[interfasys]

You just delay busy servers which will wait anyway because they're polite . Some spammers won't wait and will get told off that way.
And you're right, I've just checked my code and you don't change the rule based on the sender, but based on the port. We force our customers to use port 587 for smooth email sending.

 

[nobaloney]

If my recollection is correct my latest SpamBlocker exim.conf file for DirectAdmin, Version 4.1, requires plaintext authentication over port 587, and doesn't allow receive before sending as authentication (though the code may still be there; I honestly don't remember).

I personally use (but not for everyone) an MX 0 (lowest cost [highest priority] MX) that doesn't answer at all. I consider that more polite, because we don't ask the busy server to wait 3 seconds, only to try again the newer MX. My experience has been that this also works because spammers often won't try second MX if first one doesn't respond.

What code would you recommend I use? And where do you put it?

Thanks.

Jeff

 

[interfasys]

I personally use (but not for everyone) an MX 0 (lowest cost [highest priority] MX) that doesn't answer at all. I consider that more polite, because we don't ask the busy server to wait 3 seconds, only to try again the newer MX. My experience has been that this also works because spammers often won't try second MX if first one doesn't respond.

We use the same trick and it does lighten the load. The delay is a historical feature. Lots of Exim scripts do delay connections, sometimes by adding more time at each retry. I haven't done my homework to figure out if the downsides outweigh the plus sides...
People on BlackBerry may want to remove it in order to get even more instant emails .

Here is something that works...

begin acl

#EDIT#24:
acl_connect:   
  # Accept right away messages sent on port 587
  accept  hosts = +auth_relay_hosts
          condition = ${if eq {$interface_port}{587} {yes}{no}}  
          
  # Accept hosts who are polite enough to wait rather than just send, as spammers do
  accept hosts = *
	     delay = 3s
         
  # Deny hosts who don't wait      
  deny message = Too quick on the draw - to unblock wait for helo/ehlo

 

[nobaloney]

I'll think about it and perhaps ask around. Please remind me in a week or so if you remember.

Thanks.

Jeff

 

[unihostbrasil]

I personally use (but not for everyone) an MX 0 (lowest cost [highest priority] MX) that doesn't answer at all. I consider that more polite, because we don't ask the busy server to wait 3 seconds, only to try again the newer MX. My experience has been that this also works because spammers often won't try second MX if first one doesn't respond.

For those who want to know more about this technique, it is called "nolisting":

http://nolisting.org/
http://en.wikipedia.org/wiki/Nolisting

We also use it with success.

 

[interfasys]

And a simple way to implement it is just to use one of the billion IPv6 your DC has given you as a dead IP for your MX.

 

[emmanuel]

I don't remember why I've removed them. I have been thinking of reinserting them.

More comments?

Jeff

It's a good setting to have in by default. I used to get server lock up bad when customers set a vacation message and goes off for a few days, then get hit by another server's auto/vacation message. What makes it worse is if the other mailbox is also full or undeliverable.

It won't be noticed initially while the mailbox has space or just exceeded. But at some point, the size of the queue reaches a tipping point and the whole thing just goes dead until a reboot followed by stopping exim before it can get started again.

On the other hand, I suppose if you had implemented quota checking during smtp, before accept, then this may had been removed since it won't be necessary anymore.

However, I just looked at the v4 conf file I downloaded to deal with backscatter and it doesn't seem like any pre-accept quota checking is in?

 

[jjma]

Strange Clamd/exim Issue

Installed the latest version 4 of spamblocker. Installed clamd via custombuild using the default set-up and have enabled the following in exim.conf:

av_scanner = clamd:/var/run/clamav/clamd

And enabled all the clamd parts thereafter but the issue I receive upon sending is:

malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd.pid (Permission denied)

This indicated that the path is wrong to the clamd file but the directory is there and the clamd process running:

tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 0 7752 5502/clamd

Any ideas?


Jon

 

[SeLLeRoNe]

Use the:

av_scanner = clamd:127.0.0.1 3310

option in exim.conf instead of pid/sock file and restart exim.

Regards

 

[donkeyKICK]

I'm having a strrange problem with my Android phone and Spamblocker 4. Note that spamblocker 3.1-beta was working. I only replaced the exim.conf and the exim.pl to break it.

I get an error in my logs

2012-01-13 11:01:59 H=82.sub-166-250-69.myvzw.com (10.187.38.2) [166.250.69.82] rejected EHLO or HELO 10.187.38.2: HELO is an IP address (See RFC2821 4.1.3)

So I commented out in EDIT#25 the part saying to check if HELO is an IP. That stopped it from logging that error but mail still doesn't go out. Any idea's

 

[donkeyKICK]

Okay, I don't know why, but deleting the account that was working fine on my phone and adding it back fixed the problem after commenting out the line in EDIT#25. The real question is what are the ramifications of letting HELO be an IP address?

 

[NoBaloney2]

My guess is that deleting and re-adding the account probably caused something to run automatically to figure out what the server requires. The newest SpamBlocker exim.conf file is more picky about how it accepts email for transit off the server.

You've had to change your settings to allow HELO to be an IP address because your cellphone vendor isn't using a hostname in the HELO, as it should. The ramification is that you may end up getting more spam; many spammers use IP#s in their HELO.

You could probably change your exim.conf file to allow IP#s only when submitting authenticated email on port 587, but I've not looked into how to do that.

Jeff

 

[donkeyKICK]

You've had to change your settings to allow HELO to be an IP address because your cellphone vendor isn't using a hostname in the HELO, as it should. The ramification is that you may end up getting more spam; many spammers use IP#s in their HELO.

You could probably change your exim.conf file to allow IP#s only when submitting authenticated email on port 587, but I've not looked into how to do that.

Jeff

I've had to do a few other mods to get email going. HELO seems to be the only thing I am having trouble with. I had to disable a couple of the checks in EDIT#27 as well (P.S. Loving the EDIT# documentation, makes your SpamBlocker 1000% easier to configure. thanks!)

I've Googled HELO a bit, but haven't really found a brief explaination. From what I gather it is a newer protocol that uses FQDN for a handshake. Seems like a good idea, but I've been getting complaints about good mail not being able to get thru.

 

[NoBaloney2]

By default we only use the first and third stanzas under EDIT#27. The others appear problematic to me. Which ones do you use? Not use?

Jeff

 

[donkeyKICK]

By default we only use the first and second stanzas under EDIT#27. The others appear problematic to me. Which ones do you use? Not use?

Jeff

I am only using #3 (EDIT#27 deny #3), the others are all commented out.

 

[NoBaloney2]

Sorry, my error. We use first and third. I've corrected my post.

HELO has been around almost forever, most of now use EHLO, to advertise extended capabilities, but the rules are similar.

Everything should work with #3 enabled; you might just get some additional spam if #1 isn't enabled as well.

Jeff

 

[Derevko]

Dnsbl check seems not work

Hi!

I edited the default conf, but it seems that dnsbl check doesn't work. Has someone an hint? (This is the first time I configure an exim mail server, so apologize in advance if it is a trivial issue.)

use_rbl_domains is a symlink to domains

My orig/myconf diff:

--- SpamBlockerTechnology-Version-4.1.exim.conf.txt.orig	2012-02-13 18:03:15.619666818 +0100
+++ /etc/exim.conf	2012-02-18 15:45:33.095466016 +0100
@@ -57,10 +57,10 @@
 # CONFIGURATION STARTS HERE
 
 #EDIT#1:
-# primary_hostname =
+primary_hostname = xxxxxxxxxxxxxxx
 
 #EDIT#2-CLAMAV:
-# av_scanner = clamd:/var/run/clamav/clamd
+av_scanner = clamd:/tmp/clamd.socket
 
 #EDIT#3:
 # qualify_domain =
@@ -81,7 +81,7 @@
 local_from_check = false
 
 #EDIT#9:
-message_size_limit = 20M
+message_size_limit = 70M
 smtp_receive_timeout = 5m
 smtp_accept_max = 100
 message_body_visible = 3000
@@ -136,7 +136,7 @@
 hostlist whitelist_hosts_ip = /etc/virtual/whitelist_hosts_ip
 
 #EDIT#15:
-#domainlist skip_av_domains = lsearch;/etc/virtual/skip_av_domains
+domainlist skip_av_domains = lsearch;/etc/virtual/skip_av_domains
 
 #EDIT#16:
 hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
@@ -244,8 +244,8 @@
   #       condition  = ${if match{$sender_helo_name}{\N\.home$\N}}
 
 #EDIT#28:
-  # warn domains = +skip_av_domains
-  # set acl_m0 = $tod_epoch
+  warn domains = +skip_av_domains
+  set acl_m0 = $tod_epoch
 
 #EDIT#29:
   deny  domains       = !+local_domains
@@ -319,12 +319,14 @@
        !authenticated = *
        dnslists = \
        cbl.abuseat.org : \
-       dnsbl.njabl.org : \
        bl.spamcop.net : \
        dnsbl.ahbl.org : \
        combined.rbl.msrbl.net : \
-       b.barracudacentral.org : \
        zen.spamhaus.org : \
+       dul.dnsbl.sorbs.net : \
+       combined.njabl.org : \
+       bhnc.njabl.org : \
+       psbl.surriel.com : \
        hostkarma.junkemailfilter.com=127.0.0.2
 
 #EDIT#42:
@@ -366,27 +368,27 @@
 
 #EDIT#46:
   ## accept without checking if in skip_av_domains
-  # accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}}
+   accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}}
 
   ## deny if email contains malformed MIME header
-  # deny message = This message contains malformed MIME (malformed_MIME:$demime_reason)
-  # demime = *
-  # condition = ${if >{$demime_errorlevel}{2}{1}{0}}
+   deny message = This message contains malformed MIME (malformed_MIME:$demime_reason)
+   demime = *
+   condition = ${if >{$demime_errorlevel}{2}{1}{0}}
 
   ## deny if email containing virus or other harmful content
-  # deny message = This message contains a virus or other harmful content (virus_in_message:$malware_name)
-  # demime = *
-  # malware = *
+   deny message = This message contains a virus or other harmful content (virus_in_message:$malware_name)
+   demime = *
+   malware = *
  
   ## deny  if email contains an attachment of type we don't accept.
-  # deny message = This message contains an attachment of a type which we do not accept (attachment_not_allow:.$found_extension)
-  # demime = bat:com:pif:prf:scr:vbs:html
+   deny message = This message contains an attachment of a type which we do not accept (attachment_not_allow:.$found_extension)
+   demime = bat:com:pif:prf:scr:vbs:html
  
   ## Accept but put warning into headers if message over 1000k
-  # warn message = X-Antivirus-Scanner: Skipped scanning; size over 1000K. You should use an Antivirus Scanner
-  # condition = ${if >={$message_size}{1000k} {1}{0}}
+   warn message = X-Antivirus-Scanner: Skipped scanning; size over 1000K. You should use an Antivirus Scanner
+   condition = ${if >={$message_size}{1000k} {1}{0}}
  
-  # warn message = X-Antivirus-Scanner: Seems clean.  You should still use an Antivirus Scanner
+   warn message = X-Antivirus-Scanner: Seems clean.  You should still use an Antivirus Scanner
 
   ## The end of the acl_check_message acl (ClamAV)
   ## Do NOT comment out the line below or all messages will be denied.
@@ -438,19 +440,19 @@
 #DIRECTORS CONFIGURATION
 
 #EDIT#50:
-# spamcheck_director:
-#   driver = accept
-#   condition = "${if and { \
-#    {!def:authenticated_id} \
-#    {!def:h_X-Spam-Flag:} \
-#    {!eq {$received_protocol}{spam-scanned}} \
-#    {!eq {$received_protocol}{local}} \
-#    {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
-#    {<{$message_size}{100k}} \
-#    } {1}{0}}"
-#  retry_use_local_part
-#  transport = spamcheck
-#  no_verify
+ spamcheck_director:
+   driver = accept
+   condition = "${if and { \
+    {!def:authenticated_id} \
+    {!def:h_X-Spam-Flag:} \
+    {!eq {$received_protocol}{spam-scanned}} \
+    {!eq {$received_protocol}{local}} \
+    {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
+    {<{$message_size}{100k}} \
+    } {1}{0}}"
+  retry_use_local_part
+  transport = spamcheck
+  no_verify
 
 majordomo_aliases:
   driver = redirect
@@ -691,6 +693,12 @@
 #COMMENT#61:
 remote_smtp:
   driver = smtp
+  interface = 89.163.177.50
+  dkim_domain = $sender_address_domain
+  dkim_selector = x
+  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
+  dkim_canon = relaxed
+  dkim_strict = 0
 
 #EDIT#62:
 address_pipe: