Mailing List Archive: exim: users

Backscatter & Sender callouts.

Index | Next | Previous | View Threaded

gpeel at thenetnow

Oct 28, 2009, 7:34 AM

Post #1 of 6 (268 views)
Permalink

Backscatter & Sender callouts.

Hi all,

I am having a problem with a server getting listed on ips.backscatterer.org.

I have been researchng and reviewing the config shown below, but am not 'getting it'.

I want to allow bounces to local addresses only.

Also, I am not so sure I understand the verify / callback process vrs. the config below.

If anyone cares to review it and comment, I would be greatful.

-Grant

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
primary_hostname = thishost.mydomain.com
domainlist local_domains = /etc/virtual/domains
domainlist filtered_domains = /etc/virtual/filtered_domains
hostlist filtering_hosts = /etc/virtual/filtering_hosts
domainlist relay_to_domains =
hostlist relay_from_hosts = /etc/virtual/domains
hostlist blacklisted_domains = /etc/virtual/blacklist
hostlist spf_bypass = /etc/virtual/spf_bypass
hostlist whitelist = /etc/virtual/whitelist
acl_smtp_rcpt = acl_check_rcpt
trusted_users = mailnull:root:webmail:www
exim_user = mailnull
exim_group = mail
never_users =
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 0s
timeout_frozen_after = 0s
auto_thaw = 6h
return_path_remove
untrusted_set_sender = *
helo_allow_chars = _
daemon_smtp_ports = 25 : 109 : 587
bounce_message_file = /usr/local/etc/exim/bounce_message_file
warn_message_file = /usr/local/etc/exim/warn_message_file
return_size_limit = 10000
bounce_return_message = false
delay_warning = 72h
smtp_accept_max = 100
smtp_accept_max_per_host = 10
smtp_return_error_details = yes
log_selector = +incoming_interface +deliver_time +delivery_size +received_sender \
+received_recipients +sender_on_delivery +subject +address_rewrite +all_parents

# log_selector = +all
#
# My Attempt at greylisting
#

hide mysql_servers = localhost/exim_db/exim/password:

GREYLIST_TEST = SELECT IF(NOW() > block_expires, 2, 1) \
FROM exim_greylist \
WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
AND from_domain = '${quote_mysql:$sender_address_domain}' \
AND record_expires > NOW()

GREYLIST_ADD = INSERT INTO exim_greylist \
SET relay_ip = '${quote_mysql:$sender_host_address}', \
from_domain = '${quote_mysql:$sender_address_domain}', \
block_expires = DATE_ADD(NOW(), INTERVAL 1 MINUTE), \
record_expires = DATE_ADD(NOW(), INTERVAL 14 DAY), \
origin_type = 'AUTO', \
create_time = NOW()

GREYLIST_UPDATE = UPDATE exim_greylist \
SET record_expires = DATE_ADD(now(), INTERVAL 14 DAY) \
WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
AND from_domain = '${quote_mysql:$sender_address_domain}' \
AND record_expires > NOW()

######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################

begin acl

acl_check_rcpt:
accept hosts = :
deny local_parts = ^.*[@%!/|] : ^\\.
accept authenticated = *
endpass
accept hosts = +relay_from_hosts
endpass

############################################################################################
# Mail is being rejected on some hosts because the mail MX is only set to a mail filtering system
# and our server is rejecting it because some mail servers see the lesser priorty
# MX and try to oour server directly instead of going though the mail filtering system.
# UPDATE: All secondary MXs removed from DNS zones. Reenabled monday Oct 5 2009.
accept domains = +filtered_domains
hosts = +filtering_hosts
verify = recipient
deny message = Please use the public MX server for the domain $domain
domains = +filtered_domains
hosts = !+filtering_hosts
###########################################################################################

deny senders = :
condition = ${if > {$recipients_count}{2}{1}}
message = Bounces must have only a single recipient
log_message = BACKSCATTER - RECIPIENTS $recipients_count
deny message = rejected because $sender_host_address was \
found in our blacklist
hosts = +blacklisted_domains
log_message = BLACKLISTED DOMAIN FOUND IN $blacklisted_domains
deny
! condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}}
log_message = NO PTR [rDNS] FOUND FOR $sender_host_address
message = We do not accept mail from hosts with missing \
or incorrect rDNS.
deny senders = :
! hosts = +whitelist
dnslists = ips.backscatterer.org
message = This message looks like a bounce, and your server is listed at \
ips.backscatterer.org, so I assume that this is "backscatter". \
Please configure your mail server to not send "backscatter spam". \
For advice, try http://www.dontbouncespam.org/
log_message = BACKSCATTER - INCOMING
warn set acl_m2 = ${lookup mysql{GREYLIST_TEST}{$value}{0}}
defer ! hosts = +whitelist
! hosts = +relay_from_hosts
! authenticated = *
condition = ${if eq{$acl_m2}{0}{yes}}
condition = ${lookup mysql{GREYLIST_ADD}{yes}{no}}
message = Now greylisted - please try again in 1 minute.
log_message = ADDING TO GREYLIST
defer ! hosts = +whitelist
! hosts = +relay_from_hosts
! authenticated = *
condition = ${if eq{$acl_m2}{1}{yes}}
message = Still greylisted - please try again in 1 minute.
log_message = STILL GREYLISTED
defer
! hosts = +whitelist
! hosts = +relay_from_hosts
! authenticated = *
condition = ${lookup mysql{GREYLIST_UPDATE}{no}{no}}
message = Greylist update failed
log_message = GREYLIST UPDATE FAILED
require verify = sender
accept hosts = +spf_bypass
spf = fail
logwrite = SPF - REFLEXION $sender_host_address is OK for \
$sender_address_domain
deny message = SPF - INCOMING $sender_host_address \
is not allowed to send mail from $sender_address_domain
spf = fail
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient

######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################

begin routers

dnslookup_ccio:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_address_domain}{ccio.on.ca}{Yes}{No}}
transport = remote_smtp_ccio
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_owm:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_host_address}{127.0.0.1} {yes}{no}}
transport = remote_smtp_owm
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_local:
driver = dnslookup
domains = ! +local_domains
condition = ${lookup {$sender_address_domain} lsearch {/etc/virtual/domains} {yes}{no}}
transport = remote_smtp_local
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_bounce:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_address_local_part}{} {yes}{no}}
transport = remote_smtp_bounce
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup_alias:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp_alias
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

spamcheck_router:
driver = accept
no_verify
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}\
{spam-scanned}}} {1}{0}}"
transport = spamcheck

virtual_alias:
driver = redirect
allow_defer
allow_fail
data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
condition = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases} {yes}{no}}
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

autoreply_router:
driver = accept
require_files = /home/$domain/mail/auto-replies/$local_part
transport = autoreply_transport
no_verify
unseen

virtual_localuser:
driver = accept
require_files = /etc/virtual/$domain/passwd
domains = /etc/virtual/domains
condition = ${lookup {$local_part} lsearch {/etc/virtual/$domain/passwd}{$value}}
transport = virtual_localdelivery

virtual_catchall:
driver = redirect
allow_defer
allow_fail
data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
condition = ${lookup {catchall}lsearch{/home/$domain/mail/aliases} {yes}{no}}
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
condition = ${lookup {$sender_helo_name} lsearch {/etc/virtual/domains}{YES}{NO}}
transport = local_delivery

######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
begin transports

remote_smtp_ccio:
driver = smtp
return_path_add = true
interface = 207.112.4.160
helo_data = webmail.ccio.on.ca

remote_smtp_owm:
driver = smtp
helo_data = $sender_address_domain
# interface = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
return_path_add = true

remote_smtp_local:
driver = smtp
# interface = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
helo_data = $sender_address_domain
return_path_add = true

remote_smtp_alias:
driver = smtp
helo_data = $parent_domain
# interface = ${lookup dnsdb{a=${lookup dnsdb{mxh=$parent_domain}}}}
return_path_add = true

remote_smtp_bounce:
driver = smtp
helo_data = ${lookup dnsdb{defer_never,ptr=$interface_address}{$value}{$primary_hostname}}
# interface = $interface_address
return_path_add = true

autoreply_transport:
driver = pipe
command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part

spamcheck:
driver = pipe
command = /usr/local/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
home_directory = "/tmp"
current_directory = "/tmp"
# must use a privileged user to set $received_protocol on the way back in!
user = mailnull
group = mailnull
log_output = true
return_fail_output = false
return_path_add
message_prefix =
message_suffix =

virtual_localdelivery:
driver = appendfile
create_directory = true
directory_mode = 700
file = /var/spool/virtual/${domain}/${local_part}
headers_remove = "Bcc"
return_path_add
user = ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
group = mail
mode = 660

local_delivery:
driver = appendfile
file = /$home/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
user = mailnull
group = mail
mode = 0660

address_pipe:
driver = pipe
return_output
user = me

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

######################################################################
# RETRY CONFIGURATION #
######################################################################

begin retry

# Domain Error Retries
# ------ ----- -------
* quota_7d
* quota F,72h,1h;
* * F,30m,1m; F,90m,5m; F,22h,30m; F,144h,60m

######################################################################
# REWRITE CONFIGURATION #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite

######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################

# There are no authenticator specifications in this default configuration file.

begin authenticators

# For Netscape/Mozilla
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if and{ {!eq{$2}{}}{!eq{$3}{}} \
{crypteq {$3} {${lookup {${local_part:$2}} lsearch \
{/etc/virtual/${domain:$2}/passwd}\
{$value} {*:*}}}} } {1}{0}}"
server_set_id = $2

# For Outlook/Outlook Express
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and{ {!eq{$1}{}}{!eq{$2}{}} \
{crypteq {$2} {${lookup {${local_part:$1}} lsearch \
{/etc/virtual/${domain:$1}/passwd}\
{$value} {*:*}}}} } {1}{0}}"
server_set_id = $1

# End of Exim configuration file
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

david at ols

Oct 29, 2009, 2:18 AM

Post #2 of 6 (250 views)
Permalink

Re: Backscatter & Sender callouts. [In reply to]

Hi

i would not mind about being listed at ips.backscatterer.org,
in fact we use this list as a list of real mail servers to
avoid doing things like greylisting, etc ... on that hosts

> Hi all,
>
> I am having a problem with a server getting listed on ips.backscatterer.org.
>
> I have been researchng and reviewing the config shown below, but am not 'getting it'.
>
> I want to allow bounces to local addresses only.
>
> Also, I am not so sure I understand the verify / callback process vrs. the config below.
>
> If anyone cares to review it and comment, I would be greatful.
>
> -Grant
>
> ######################################################################
> # MAIN CONFIGURATION SETTINGS #
> ######################################################################
> primary_hostname = thishost.mydomain.com
> domainlist local_domains = /etc/virtual/domains
> domainlist filtered_domains = /etc/virtual/filtered_domains
> hostlist filtering_hosts = /etc/virtual/filtering_hosts
> domainlist relay_to_domains =
> hostlist relay_from_hosts = /etc/virtual/domains
> hostlist blacklisted_domains = /etc/virtual/blacklist
> hostlist spf_bypass = /etc/virtual/spf_bypass
> hostlist whitelist = /etc/virtual/whitelist
> acl_smtp_rcpt = acl_check_rcpt
> trusted_users = mailnull:root:webmail:www
> exim_user = mailnull
> exim_group = mail
> never_users =
> host_lookup = *
> rfc1413_hosts = *
> rfc1413_query_timeout = 5s
> ignore_bounce_errors_after = 0s
> timeout_frozen_after = 0s
> auto_thaw = 6h
> return_path_remove
> untrusted_set_sender = *
> helo_allow_chars = _
> daemon_smtp_ports = 25 : 109 : 587
> bounce_message_file = /usr/local/etc/exim/bounce_message_file
> warn_message_file = /usr/local/etc/exim/warn_message_file
> return_size_limit = 10000
> bounce_return_message = false
> delay_warning = 72h
> smtp_accept_max = 100
> smtp_accept_max_per_host = 10
> smtp_return_error_details = yes
> log_selector = +incoming_interface +deliver_time +delivery_size +received_sender \
> +received_recipients +sender_on_delivery +subject +address_rewrite +all_parents
>
> # log_selector = +all
> #
> # My Attempt at greylisting
> #
>
> hide mysql_servers = localhost/exim_db/exim/password:
>
> GREYLIST_TEST = SELECT IF(NOW() > block_expires, 2, 1) \
> FROM exim_greylist \
> WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
> AND from_domain = '${quote_mysql:$sender_address_domain}' \
> AND record_expires > NOW()
>
> GREYLIST_ADD = INSERT INTO exim_greylist \
> SET relay_ip = '${quote_mysql:$sender_host_address}', \
> from_domain = '${quote_mysql:$sender_address_domain}', \
> block_expires = DATE_ADD(NOW(), INTERVAL 1 MINUTE), \
> record_expires = DATE_ADD(NOW(), INTERVAL 14 DAY), \
> origin_type = 'AUTO', \
> create_time = NOW()
>
> GREYLIST_UPDATE = UPDATE exim_greylist \
> SET record_expires = DATE_ADD(now(), INTERVAL 14 DAY) \
> WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
> AND from_domain = '${quote_mysql:$sender_address_domain}' \
> AND record_expires > NOW()
>
> ######################################################################
> # ACL CONFIGURATION #
> # Specifies access control lists for incoming SMTP mail #
> ######################################################################
>
> begin acl
>
> acl_check_rcpt:
> accept hosts = :
> deny local_parts = ^.*[@%!/|] : ^\\.
> accept authenticated = *
> endpass
> accept hosts = +relay_from_hosts
> endpass
>
> ############################################################################################
> # Mail is being rejected on some hosts because the mail MX is only set to a mail filtering system
> # and our server is rejecting it because some mail servers see the lesser priorty
> # MX and try to oour server directly instead of going though the mail filtering system.
> # UPDATE: All secondary MXs removed from DNS zones. Reenabled monday Oct 5 2009.
> accept domains = +filtered_domains
> hosts = +filtering_hosts
> verify = recipient
> deny message = Please use the public MX server for the domain $domain
> domains = +filtered_domains
> hosts = !+filtering_hosts
> ###########################################################################################
>
> deny senders = :
> condition = ${if > {$recipients_count}{2}{1}}
> message = Bounces must have only a single recipient
> log_message = BACKSCATTER - RECIPIENTS $recipients_count
> deny message = rejected because $sender_host_address was \
> found in our blacklist
> hosts = +blacklisted_domains
> log_message = BLACKLISTED DOMAIN FOUND IN $blacklisted_domains
> deny
> ! condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}}
> log_message = NO PTR [rDNS] FOUND FOR $sender_host_address
> message = We do not accept mail from hosts with missing \
> or incorrect rDNS.
> deny senders = :
> ! hosts = +whitelist
> dnslists = ips.backscatterer.org
> message = This message looks like a bounce, and your server is listed at \
> ips.backscatterer.org, so I assume that this is "backscatter". \
> Please configure your mail server to not send "backscatter spam". \
> For advice, try http://www.dontbouncespam.org/
> log_message = BACKSCATTER - INCOMING
> warn set acl_m2 = ${lookup mysql{GREYLIST_TEST}{$value}{0}}
> defer ! hosts = +whitelist
> ! hosts = +relay_from_hosts
> ! authenticated = *
> condition = ${if eq{$acl_m2}{0}{yes}}
> condition = ${lookup mysql{GREYLIST_ADD}{yes}{no}}
> message = Now greylisted - please try again in 1 minute.
> log_message = ADDING TO GREYLIST
> defer ! hosts = +whitelist
> ! hosts = +relay_from_hosts
> ! authenticated = *
> condition = ${if eq{$acl_m2}{1}{yes}}
> message = Still greylisted - please try again in 1 minute.
> log_message = STILL GREYLISTED
> defer
> ! hosts = +whitelist
> ! hosts = +relay_from_hosts
> ! authenticated = *
> condition = ${lookup mysql{GREYLIST_UPDATE}{no}{no}}
> message = Greylist update failed
> log_message = GREYLIST UPDATE FAILED
> require verify = sender
> accept hosts = +spf_bypass
> spf = fail
> logwrite = SPF - REFLEXION $sender_host_address is OK for \
> $sender_address_domain
> deny message = SPF - INCOMING $sender_host_address \
> is not allowed to send mail from $sender_address_domain
> spf = fail
> accept domains = +local_domains
> endpass
> message = unknown user
> verify = recipient
> accept domains = +relay_to_domains
> endpass
> message = unrouteable address
> verify = recipient
>
> ######################################################################
> # ROUTERS CONFIGURATION #
> # Specifies how addresses are handled #
> ######################################################################
> # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
> # An address is passed to each router in turn until it is accepted. #
> ######################################################################
>
> begin routers
>
> dnslookup_ccio:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_address_domain}{ccio.on.ca}{Yes}{No}}
> transport = remote_smtp_ccio
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_owm:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_host_address}{127.0.0.1} {yes}{no}}
> transport = remote_smtp_owm
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_local:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${lookup {$sender_address_domain} lsearch {/etc/virtual/domains} {yes}{no}}
> transport = remote_smtp_local
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_bounce:
> driver = dnslookup
> domains = ! +local_domains
> condition = ${if eq {$sender_address_local_part}{} {yes}{no}}
> transport = remote_smtp_bounce
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> dnslookup_alias:
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp_alias
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> no_more
>
> spamcheck_router:
> driver = accept
> no_verify
> condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}\
> {spam-scanned}}} {1}{0}}"
> transport = spamcheck
>
> virtual_alias:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
> domains = /etc/virtual/domains
> require_files = /home/$domain/mail/aliases
> condition = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases} {yes}{no}}
> qualify_preserve_domain
> retry_use_local_part
> check_ancestor
> one_time
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
>
> autoreply_router:
> driver = accept
> require_files = /home/$domain/mail/auto-replies/$local_part
> transport = autoreply_transport
> no_verify
> unseen
>
> virtual_localuser:
> driver = accept
> require_files = /etc/virtual/$domain/passwd
> domains = /etc/virtual/domains
> condition = ${lookup {$local_part} lsearch {/etc/virtual/$domain/passwd}{$value}}
> transport = virtual_localdelivery
>
> virtual_catchall:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
> domains = /etc/virtual/domains
> require_files = /home/$domain/mail/aliases
> condition = ${lookup {catchall}lsearch{/home/$domain/mail/aliases} {yes}{no}}
> qualify_preserve_domain
> retry_use_local_part
> check_ancestor
> one_time
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
>
> localuser:
> driver = accept
> check_local_user
> condition = ${lookup {$sender_helo_name} lsearch {/etc/virtual/domains}{YES}{NO}}
> transport = local_delivery
>
> ######################################################################
> # TRANSPORTS CONFIGURATION #
> ######################################################################
> # ORDER DOES NOT MATTER #
> # Only one appropriate transport is called for each delivery. #
> ######################################################################
> begin transports
>
> remote_smtp_ccio:
> driver = smtp
> return_path_add = true
> interface = 207.112.4.160
> helo_data = webmail.ccio.on.ca
>
> remote_smtp_owm:
> driver = smtp
> helo_data = $sender_address_domain
> # interface = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
> return_path_add = true
>
> remote_smtp_local:
> driver = smtp
> # interface = ${lookup dnsdb{a=${lookup dnsdb{mxh=$sender_address_domain}}}}
> helo_data = $sender_address_domain
> return_path_add = true
>
> remote_smtp_alias:
> driver = smtp
> helo_data = $parent_domain
> # interface = ${lookup dnsdb{a=${lookup dnsdb{mxh=$parent_domain}}}}
> return_path_add = true
>
> remote_smtp_bounce:
> driver = smtp
> helo_data = ${lookup dnsdb{defer_never,ptr=$interface_address}{$value}{$primary_hostname}}
> # interface = $interface_address
> return_path_add = true
>
> autoreply_transport:
> driver = pipe
> command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part
>
> spamcheck:
> driver = pipe
> command = /usr/local/sbin/exim -oMr spam-scanned -bS
> use_bsmtp = true
> transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
> home_directory = "/tmp"
> current_directory = "/tmp"
> # must use a privileged user to set $received_protocol on the way back in!
> user = mailnull
> group = mailnull
> log_output = true
> return_fail_output = false
> return_path_add
> message_prefix =
> message_suffix =
>
> virtual_localdelivery:
> driver = appendfile
> create_directory = true
> directory_mode = 700
> file = /var/spool/virtual/${domain}/${local_part}
> headers_remove = "Bcc"
> return_path_add
> user = ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
> group = mail
> mode = 660
>
> local_delivery:
> driver = appendfile
> file = /$home/mail/$local_part
> delivery_date_add
> envelope_to_add
> return_path_add
> user = mailnull
> group = mail
> mode = 0660
>
> address_pipe:
> driver = pipe
> return_output
> user = me
>
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
>
> address_reply:
> driver = autoreply
>
> ######################################################################
> # RETRY CONFIGURATION #
> ######################################################################
>
> begin retry
>
> # Domain Error Retries
> # ------ ----- -------
> * quota_7d
> * quota F,72h,1h;
> * * F,30m,1m; F,90m,5m; F,22h,30m; F,144h,60m
>
> ######################################################################
> # REWRITE CONFIGURATION #
> ######################################################################
>
> # There are no rewriting specifications in this default configuration file.
>
> begin rewrite
>
> ######################################################################
> # AUTHENTICATION CONFIGURATION #
> ######################################################################
>
> # There are no authenticator specifications in this default configuration file.
>
> begin authenticators
>
> # For Netscape/Mozilla
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = "${if and{ {!eq{$2}{}}{!eq{$3}{}} \
> {crypteq {$3} {${lookup {${local_part:$2}} lsearch \
> {/etc/virtual/${domain:$2}/passwd}\
> {$value} {*:*}}}} } {1}{0}}"
> server_set_id = $2
>
> # For Outlook/Outlook Express
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = "${if and{ {!eq{$1}{}}{!eq{$2}{}} \
> {crypteq {$2} {${lookup {${local_part:$1}} lsearch \
> {/etc/virtual/${domain:$1}/passwd}\
> {$value} {*:*}}}} } {1}{0}}"
> server_set_id = $1
>
> # End of Exim configuration file

--
Salu-2 y hasta pronto ...

----------------------------------------------------------------
David Saez Padros http://www.ols.es
On-Line Services 2000 S.L. telf +34 902 50 29 75
----------------------------------------------------------------

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

chris at qwirx

Oct 29, 2009, 3:54 AM

Post #3 of 6 (238 views)
Permalink

Re: Backscatter & Sender callouts. [In reply to]

Hi Grant,

On Wed, 28 Oct 2009, Grant Peel wrote:

> I am having a problem with a server getting listed on
> ips.backscatterer.org.

I'm not 100% sure that I understand the problem. Is it your server that's
getting listed on IBO or someone else's that you want to receive mail
from? And how does this relate to the next question:

> I have been researchng and reviewing the config shown below, but am not
> 'getting it'.
>
> I want to allow bounces to local addresses only.

This condition doesn't do that:

deny senders = :
! hosts = +whitelist
dnslists = ips.backscatterer.org
message = This message looks like a bounce, and
your
server is listed at \

Probably you want to add:

! domains = +local_domains

> Also, I am not so sure I understand the verify / callback process vrs.
> the config below.

I don't see any callouts (verify = sender/callout or verify =
recipient/callout) in the config, so I'm guessing your Exim is doing the
default verification: validating local users, and validation remote
domains (but not users at those domains).

If you separated the verbs in your ACL it would be a little easier to
read.

Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

gpeel at thenetnow

Oct 29, 2009, 7:03 AM

Post #4 of 6 (245 views)
Permalink

Re: Backscatter & Sender callouts. [In reply to]

CHris,

Fair enough question...

We noticed that there are a few outside receiving servers that are rejecting
email because our server is listed on backscatter dor org. As you can see
from the config below, we also check this list.

How it relates is: I want the config to send bounces to our (local) users
only, if one is necessary. If I understand that backscatter thing correctly,
If we sent to an outside server with a F=<> and there is more than on
recipient, we could keep getting blacklisted to ips.backscatterer.org. So
sending local bounces only should cure that (should it not?).

-Grant

----- Original Message -----
From: "Chris Wilson" <chris[at]qwirx.com>
To: "Grant Peel" <gpeel[at]thenetnow.com>
Cc: <exim-users[at]exim.org>
Sent: Thursday, October 29, 2009 6:54 AM
Subject: Re: [exim] Backscatter & Sender callouts.

> Hi Grant,
>
> On Wed, 28 Oct 2009, Grant Peel wrote:
>
>> I am having a problem with a server getting listed on
>> ips.backscatterer.org.
>
> I'm not 100% sure that I understand the problem. Is it your server that's
> getting listed on IBO or someone else's that you want to receive mail
> from? And how does this relate to the next question:
>
>> I have been researchng and reviewing the config shown below, but am not
>> 'getting it'.
>>
>> I want to allow bounces to local addresses only.
>
> This condition doesn't do that:
>
> deny senders = :
> ! hosts = +whitelist
> dnslists = ips.backscatterer.org
> message = This message looks like a bounce, and
> your
> server is listed at \
>
> Probably you want to add:
>
> ! domains = +local_domains
>
>> Also, I am not so sure I understand the verify / callback process vrs.
>> the config below.
>
> I don't see any callouts (verify = sender/callout or verify =
> recipient/callout) in the config, so I'm guessing your Exim is doing the
> default verification: validating local users, and validation remote
> domains (but not users at those domains).
>
> If you separated the verbs in your ACL it would be a little easier to
> read.
>
> Cheers, Chris.
> --
> _ ___ __ _
> / __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
> / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
> \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Lena at lena

Oct 29, 2009, 5:13 PM

Post #5 of 6 (244 views)
Permalink

Re: Backscatter & Sender callouts. [In reply to]

> From: "Grant Peel" <gpeel[at]thenetnow.com>

> I am having a problem with a server getting listed on ips.backscatterer.org.
>
> I have been researchng and reviewing the config shown below, but am not 'getting it'.

At first telnet from a host outside your network to port 25 on that server
and give commands:

EHLO example.com
MAIL FROM:<gpeel[at]thenetnow.com>
RCPT TO:<nonexistinglocalpart[at]example.net>
QUIT

where example.net - a domain in your /etc/virtual/domains without catchall.
If you get 2xx instead of 5xx in reply to the RCPT command then
that's the problem.

Then send a letter from outside to a nonexisting address in a domain
with catchall. If you get a bounce then that's the problem.

> I want to allow bounces to local addresses only.

For that add:

deny authenticated = *
condition = ${if !match_domain{$sender_address_domain}{+local_domains}}
!verify = recipient
deny hosts = +relay_from_hosts
condition = ${if !match_domain{$sender_address_domain}{+local_domains}}
!verify = recipient

before the:

> accept authenticated = *
> accept hosts = +relay_from_hosts

> Also, I am not so sure I understand the verify / callback process vrs. the config below.

You don't do callback, and that's good.

> If anyone cares to review it and comment, I would be greatful.

> accept hosts = +spf_bypass
> spf = fail
> logwrite = SPF - REFLEXION $sender_host_address is OK for \
> $sender_address_domain

Here you lack:

endpass
message = unknown user
verify = recipient

> deny message = SPF - INCOMING $sender_host_address \
> is not allowed to send mail from $sender_address_domain
> spf = fail
> accept domains = +local_domains
> endpass
> message = unknown user
> verify = recipient
> accept domains = +relay_to_domains
> endpass
> message = unrouteable address
> verify = recipient

> autoreply_transport:
> driver = pipe
> command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part

If the autoreply.pl script sends letters with empty sender then
that's the problem: backscatterer.org considers autoreply as a bounce.

> spamcheck:
> driver = pipe
> command = /usr/local/sbin/exim -oMr spam-scanned -bS
> use_bsmtp = true
> transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}}

What happens if spamc considers the letter as certainly spam?

> If I understand that backscatter thing correctly,
> If we sent to an outside server with a F=<> and there is more than on
> recipient, we could keep getting blacklisted to ips.backscatterer.org.

No, quantity of recipients doesn't matter. If you send to an outside server
with a F=<> even with one recipient, you'll keep getting blacklisted.
You need to understand why letters to outside with F=<> are generated,
are they bounces or something else (autoreplies?).
A "deny" is not a bounce. Lack of "deny" causes bounces if delivery fails
at transport time.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

j.knight at kis

Oct 30, 2009, 5:24 AM

Post #6 of 6 (238 views)
Permalink

Re: Backscatter & Sender callouts. [In reply to]

> We noticed that there are a few outside receiving servers that are
> rejecting email because our server is listed on backscatter dor org. As
> you can see from the config below, we also check this list.

backscatterer.org has a poor reputation and there are a number of
articles on the net that take a very dim view of their activities.

The ironic thing is that UCE Protect (who run the backscatterer) state
that the list should ONLY be used to block inbound mail from postmaster
or the error sender <>. It is not intended for a general purpose block.

Some sites try to use it as a general purpose block and that will cause
a lot of problems for them.

You can reduce the amount of backscatter that you generate by ensuring
that you do inbound recipient callout checks at your gateway to ensure
that you generate 5xx messages for unknown users at the gteway and not
on an internal server that requires your gateway to generate the NDR.
However Exim will always hit problems with the autoresponders part of
the exim filter and with over quota mailboxes.

A simple solution is to use multiple IP's for your outbound email. Make
sure that all messages from postmaster or <> are sent through one IP
address and everything else is sent through another. That way
backscatterer.org will only ever list your postmaster/<> server and so
your normal mail will not be affected.

My servers are frequently listed on backscatterer.org because we allow
our users 4 days to get below quota. During that time we generate
"delayed message" warnings back to the sender and if that sender is
forged then we can get caught by a backscatterer trap. I'm reluctant to
change our over quota policy and I think generating a warning to the
sender is only polite so I have to take the hit on getting listed. So
far I've had no complaints from our users about not getting email through.

jon.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com