Only incoming messages checking by Rbl

[Suzlon]

Hello everyone,
I am using rbl checking on Exim 4 right now but it seems to check incoming and outgoing message which is annoying if you check for dynablocks. Is there a way to restrict the rbl checking only for incoming smtp traffic?

This is what I have right now as part of my ACLs:

require verify = sender

deny message = $sender_host_address is listed \
at $dnslist_domain
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
bl.spamcop.net : \
relays.ordb.org : \
korea.services.net : \
china.blackholes.us : \
russia.blackholes.us
deny local_parts = ^.*[@%!/|]
message = I've never seen @, %, !, /, or | in an e-mail. Neither should you.

[Techno01]

Assuming you have a domain list of your local domains you can use hosts with a negated local_domains list to accomplish this...

deny message = $sender_host_address is listed at $dnslist_domain
hosts = !+local_domains
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
bl.spamcop.net : \
relays.ordb.org : \
korea.services.net : \
china.blackholes.us : \
russia.blackholes.us

[Trio]

Firstly, be cautious about your use of terms: "incoming" and "outgoing" don't have the meanings I think you're inferring here: they're all "incoming" as far as Exim is concerned. I know what you mean here, but it can sometimes get confusing! What I think you mean is something "messages that are coming from a host I'm allowing relaying from".

The answer depends on how you are allowing relaying (e.g. based on a set of fixed IPs? Or based on authentication?) but generally speaking the answer is to change your ACL rule about DNSBLs to something like:

deny message = $dnslist_text
hosts = !+relay_from_hosts
!authenticated = *
dnslists = whatever

which means that this rule will be skipped for hosts in the "relay_from_hosts" list and authenticated sessions.

[napoleon]

I've seen someone use the address #!/bin/sh@some.domain before.

Do make sure your authenticators are secure!

[Techguru01]

I've seen someone use the address #!/bin/sh@some.domain before.

Heh. I think I know the guy too...

And as for % / @ etc - has the OP ever got mail from a MHS / UUCP type setup?

[Suzlon]

@ Techno01

I tried your suggestion but it does not work. I wonder if it even could work the way you suggested it because local_domains has domain names in it and the rbl lists do ip address lookups so both are not really compatible. Perhaps the solution is to not run authenticated senders through the rbl lists?

[Suzlon]

When trying out your suggestion I get this error here in the exim mainlog:

2003-12-08 09:34:38 unknown named host list "+local_domains"

But I do have this at the beginning of the exim.conf so I do not see why it would bring this up:

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
hostlist auth_relay_hosts = *

[Suzlon]

Well,
I tried the recommendations from here and it did not work again. Here is my whole ACL. It seems that now no more rbl checking is done. The reason why I want to turn rbl checking off for authenticated local users is that DSL subscribers in Europe seem to be included in the dnsbl.njabl.org list and that would mean they are prevented from sending out mail even though they have a valid account on the machine. Here is the ACL:

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}
}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}
}} \
{yes}{no}}

warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{mailman-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/mailman/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{mailman-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/mailman/config.pck}}} \
{yes}{no}}


require verify = sender

deny message = $sender_host_address is listed \
at $dnslist_domain
hosts = !+auth_relay_hosts
!authenticated = *
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
bl.spamcop.net : \
dnsbl.njabl.org : \
relays.ordb.org : \
korea.services.net : \
china.blackholes.us : \
russia.blackholes.us
deny local_parts = ^.*[@%!/|]
message = I've never seen @, %, !, /, or | in an e-mail. Neither should you.

accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_domains
accept hosts = +relay_hosts
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.

#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept

[deveritt]

Here is my config section that is working for me This will avoid running these two checks, I do not have anything here about authentication but your !authenticated = * should do the trick.

Code:

  deny    message         = rejected because we do not want mail from $sender_host_address
          sender_domains  = !+local_domains
          senders         = @@lsearch;/etc/exim/reject-by-domain

  deny    message         = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          sender_domains  = !+local_domains
          dnslists        = relays.ordb.org : \
                                relays.orirusoft.com : \
                                inputs.relays.orirusoft.com : \
                                sbl.spamhaus.org