(yeah, it's top-posted) How do you propose to look at the body, in the connect ACL?
On Tue, 4 Dec 2007, W B Hacker wrote: > Date: Tue, 04 Dec 2007 18:53:42 +0000 > From: W B Hacker <[EMAIL PROTECTED]> > To: exim users <[email protected]> > Subject: Re: [exim] exim_surbl > > John Schmerold wrote: > > I've been running exim_surbl (from > > http://www.teuton.org/~ejm/exim_surbl ) for approximately 12 hours. > > Memory utilization is way down, message delivery time is way up, life > > seems good. > > > > So far it works really well, point of this message is 1) to let > > everyone know about this and 2) find out if there are issues that I > > should be aware of relative to use of this tool. Installation was > > simple, I did following: > > cd /usr/src ; wget > > http://www.teuton.org/~ejm/exim_surbl/exim_surbl-2.0.tar.gz > > tar zxf exim_surbl-2.0.tar.gz > > cp -p exim_surbl-2.0/exim_surbl.pl /etc/exim > > cp -p exim_surbl-2.0/surbl_whitelist.txt /etc/exim > > cp -p exim_surbl-2.0/ccTLD.txt /etc/exim > > > > Then edited /etc/exim/exim_surbl.pl to reflect the fact that our exim > > configuration files are in /etc/exim > > > > Then put following in exim.conf main section: > > perl_startup = do '/etc/exim/exim_surbl.pl' > > > > Then put following in exim.conf acl_smtp_mime section: > > deny condition = ${if <{$message_size}{100000}{yes}{no}} > > set acl_m0 = ${perl{surblspamcheck}} > > condition = ${if eq{$acl_m0}{false}{no}{yes}} > > message = $acl_m0 > > > > Finally put following in acl_smtp_data section and restarted exim: > > deny condition = ${if <{$message_size}{100000}{yes}{no}} > > condition = ${if eq{$acl_m0}{}{yes}{no}} > > set acl_m1 = ${perl{surblspamcheck}} > > condition = ${if eq{$acl_m1}{false}{no}{yes}} > > message = $acl_m1 > > > > Within seconds - every second actually, tail -f /var/log/exim/main.log > > happily reported: > > 2007-12-04 11:40:45 1IzblE-000860-Q9 > > H=host158-101-dynamic.27-79-r.retail.telecomitalia.it [79.27.101.158] > > F=<[EMAIL PROTECTED]> rejected during MIME > > ACL checks: Blacklisted URL in message. (oran____.com) in [jp] [ob] > > [ws] [sc]. See http://www.surbl.org/lists.html. > > > > John > > > > Why wait until acl_smtp_data and invoke a perl script to do what Exim can do > with much less workload in the acl_smtp_connect phase? > > # CONNECT_7: Check Local NAME Blacklist for host_name. IF bad THEN deny > # > deny > message = \n Sender $sender_host_name blacklisted for abuse > log_message = C7 $sender_host_name Locally blacklisted. > condition = > ${lookup > $sender_host_name}wildlsearch{/var/mail/REGEXP-block}{yes}{no}} > > (beware MUA wrap - the condition is on one line) > > /var/mail/REGEXP-block includes, among several hundred chronic-offenders who > are > zombot-friendly: > > *retail.telecomitalia.it > > Result: > > 2007-12-04 18:21:56 H=host105-160-dynamic.22-79-r.retail.telecomitalia.it > [79.22.160.105]:4678 I=[203.194.153.81]:25 temporarily rejected connection in > "connect" ACL: C7 host105-160-dynamic.22-79-r.retail.telecomitalia.it Locally > blacklisted. > > Should that fall-through, C8 will catch it: > > # CONNECT_8: Check Dynamic/Portable Remote Blacklist. IF RBL hit THEN deny > # > deny > message = \n $sender_host_address improper use of dynamic IP for mail > server > dnslists = dul.dnsbl.sorbs.net > log_message = C8 $sender_host_address blacklisted in $dnslist_domain > > > An SQL call (redacted) accumulates stats on those that repeatedly hit from > dynamic IP, and is used for periodic updating of the local blacklist file. > This reduces off-box callouts to sorbs. > > In production for quite a while now.... > > HTH, > > Bill Hacker > > > > > -- -------------------------------------------------------- Dave Lugo [EMAIL PROTECTED] LC Unit #260 TINLC Have you hugged your firewall today? No spam, thanks. -------------------------------------------------------- Are you the police? . . . . No ma'am, we're sysadmins. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
