Suggestion: Move some of the blacklists to acl_connect

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,100
Location
Switzerland
I think it would be more efficient to move some of the blacklists to acl_smtp_connect instead of keeping them in acl_smtp_rcpt.
 
It will end up being less efficient because the sending server may keep trying.

As posted on exim.org:
The majority of policy tests on incoming messages can be done when RCPT commands arrive. A rejection of RCPT should cause the sending MTA to give up on the recipient address contained in the RCPT command, whereas rejection at other times may cause the client MTA to keep on trying to deliver the message. It is therefore recommended that you do as much testing as possible at RCPT time.
It's an email specification issue.

Based on RFCs.

Jeff
 
OK, so based on that, the following changes should be made to your config:
  • In acl_connect: "deny message = Too quick on the draw - to unblock wait for helo/ehlo" should be removed
  • In acl_check_helo: All the deny ACLs should be moved to acl_smtp_rcpt
Otherwise, the MTA may keep trying as well.


I'm still curious as to which RFC this would break since this would be acting as a firewall (dropping at connect time) while we wait for the server's firewall to kick in once it gets the IPs.
 
Last edited:
You make a good point. I've obviously picked up various recommendations over the years. I'll look into this further today so I can hopefully start working on final release next week.

Jeff
 
Back
Top