Can RBL ignore authenticate users?

tmallardi

Well-Known Member
Jan 18, 2005
69
0
156
El Paso, TX
I have a number of customers who travel with their notebook computers. Obviously it's a hassle for them to reconfigure SMTP servers every time they check into a new hotel. Occasionaly they get blocked when sending email.

Is it possible to configure Exim such that RBL lookups do not occur when authenticated users attempt to relay?
 

tmallardi

Well-Known Member
Jan 18, 2005
69
0
156
El Paso, TX
webignition said:
Certainly would be. Why would they have to do that?
Many people are advised to configure their mail client to use the SMTP server of the ISP they are connected to. In the case of traveling computers, it would be a hassle to change your SMTP settings every place you go, right?

So, I'd like to configure Exim on the server side to not do a RBL lookup on authenticated users trying to relay. Therefore, they can keep their smtp settings the same, and avoid possibly being rejected when attempting to relay from a dynamic ISP connection.
 

danimal

Well-Known Member
Jul 14, 2003
79
0
156
me too!

I am also very interested in doing this.

I have a client whose verizon dsl assigned IP is listed in dsbl.org. I know that the "right" solution is to pursue having their IP removed from the list, but in the meantime, I'd like something, even if only temporary, to let this particular client continue to send via my server.

So solutions I see:

1. turn off spamlist checking
(I'd rather not as this would be server-wide and to date it has helped reduce the mail load... I think)

2. add my client's IP to a whitelist
(this would be ok... I'm having trouble finding some good pointers to how to do this with exim, but I may just need to search more)

3. have some setting so that authenticated users can send regardless.
(this would be ideal)

Actually, now that I think about it, the only people sending FROM my server are my clients (i.e. it's not an open relay... authentication required to use SMTP)...

So I'm suddenly wondering why I want dnslist/dsbl checks on emails sent FROM my server? Doesn't it make more sense to only use it to reject emails coming IN TO my server that are from a known spam IP?

Can someone shed some light on this? And of course I welcome any specific pointers on how to set this up, either #2 or #3... or best of all, the option to not check outgoing emails against spamlists.

Thanks!

-Danimal :cool:
 

amh007

Member
May 23, 2006
7
0
151
tmallardi said:
I have a number of customers who travel with their notebook computers. Obviously it's a hassle for them to reconfigure SMTP servers every time they check into a new hotel. Occasionaly they get blocked when sending email.

Is it possible to configure Exim such that RBL lookups do not occur when authenticated users attempt to relay?
Doesn't smtp-authentication clear this hurdle?
 

tmallardi

Well-Known Member
Jan 18, 2005
69
0
156
El Paso, TX
amh007 said:
Doesn't smtp-authentication clear this hurdle?
Nope, unfortunately it does not.

For some reason, the authenticated user is subject to a RBL lookup before they can relay.

There really is no reason that an authenticated user needs to scrutinized by the blacklist, as they have already proven their credentials.

Sure would like to have this resolved so that most all RBL 's can be used in Exim.
 

danimal

Well-Known Member
Jul 14, 2003
79
0
156
I don't think so (although I may be wrong).

I have SMTP-Authentication on, and I've configured exim to reject when an email matches a couple of SBL lists, and a hosted client of mine cannot send emails through my server because their Verizon DSL assigned IP is listed on one of the SBLs.

I'm still trying to figure out the "cleanest" way of dealing with this. I think ultimately, I'd like to just have exim auto-whitelist anyone that sends through the server, as this would be my clients only. That way, even if a client is listed, they can still send.

(this may not be a good solution in general, but my hosting company is small and I personally know all the clients)

Thanks,

-Danimal :cool:

EDIT: I posted this thie same time as tmallardi. I'm the same boat and would also love to have this resolved.
 

amh007

Member
May 23, 2006
7
0
151
tmallardi said:
Nope, unfortunately it does not.

For some reason, the authenticated user is subject to a RBL lookup before they can relay.

There really is no reason that an authenticated user needs to scrutinized by the blacklist, as they have already proven their credentials.

Sure would like to have this resolved so that most all RBL 's can be used in Exim.
I'm pretty certain it does, have you tested it? The dynamic-host RBL I use blocks most of my clients (including myself) if they don't use smtp-auth.
 

tmallardi

Well-Known Member
Jan 18, 2005
69
0
156
El Paso, TX
amh007 said:
I'm pretty certain it does, have you tested it? The dynamic-host RBL I use blocks most of my clients (including myself) if they don't use smtp-auth.
Yep, if your IP address is on a blacklist simply because it is dynamic, you will get blocked - even when you authenticate.

This happens quite a bit with Comcast & Verizon DSL customers.
 

amh007

Member
May 23, 2006
7
0
151
tmallardi said:
Yep, if your IP address is on a blacklist simply because it is dynamic, you will get blocked - even when you authenticate.

This happens quite a bit with Comcast & Verizon DSL customers.
Something is getting lost in the translation here, so one last attempt.

I am a Verizon DSL customer.
I get blocked by my mail server's use of a DUL RBL.
I enable smtp authentication in my mail client.
I no longer get blocked.

Good luck guys.
 

danimal

Well-Known Member
Jul 14, 2003
79
0
156
amh007,

This is exactly the situation I'm in, but my client is still getting blocked. Would you mind posting your /etc/exim.conf file. I'm wondering if there is a different configuration on your server.

What you have is exactly what I'd like it to be on my server, I'm just not sure how.

Thanks!

-Danimal :cool:
 

amh007

Member
May 23, 2006
7
0
151
I'll give you my customizations, everything else is default cpanel/exim config. This is from advanced mode edit of course.

1st input box:
Code:
# 20060710/amh begin
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
# 20060710/amh end
3rd input box, just after "accept hosts":
Code:
# 20060710/amh begin
# Always accept mail to postmaster & abuse for any local domain
accept domains = +local_domains
local_parts = support:postmaster:abuse

deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = \
multi.surbl.org: \
dul.dnsbl.sorbs.net : \
opm.blitzed.org : \
sbl-xbl.spamhaus.org :
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist 
# 20060710/amh end
and the 7th input box:
Code:
# 20060710/amh begin
# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
# 20060710/amh end
Hope that helps. That's all from assorted howto's I found googling around the web, no credit to me. Oh, if anyone sees anything wrong with this, please let me know, I'm no Exim guru ;)
 

tmallardi

Well-Known Member
Jan 18, 2005
69
0
156
El Paso, TX
RESOLVED!!

The simple addition of the following modifier fixed the problem.

!authenticated = *


Thanks for the solution AMH!

Thanks to Danimal for getting this thread noticed.
 

kemis

Well-Known Member
Feb 17, 2005
104
0
166
Georgetown, TX
Is there a way to do this same thing for SpamAssassin? In other words, when users authenticate & send through the mail server, is there any way to make SpamAssassin NOT assign points (or at least give negative points) for RBL checks that say the message was sent from a dynamic IP.

Also, can someone please explain to me why the checks say the e-mail was "sent directly from dynamic IP" and/or "dialup sender did non-local SMTP"? If a user is authenticating against the cPanel server & relaying through it, then the e-mail was really sent from the server, right? Regardless, it just doesn't make sense to me that a valid SMTP authenticated user on DSL/cable would be subject to spam points.

Thanks,
Matt
 

srhoffman

Member
Aug 25, 2005
6
0
151
Everythign works except the bypass/whitelist

AMH,

I've been usign your stuff to enforce RBL's quite successfully, but for some reason it won't acknowledge whitelisted IP's, does this work for you? If so who owns and what are the permissions on the files in /etc/rbl*?

Thanks,
Steve
 

claudio

Well-Known Member
Jul 31, 2004
201
0
166
guys

thanks for the tips of this thread,

1) this
!authenticated = *

is not avoiding authenticated users of beign listed : (((

white list do work if you place the name of the network domain that the ip carry together from its isp what gives a huge work and sometimes there is no domain name to add...

2)
after add this RBL to my exim everything is far better

but clamav is not working anymore

any clues?

thanks

Claudio
 
Last edited:

kemis

Well-Known Member
Feb 17, 2005
104
0
166
Georgetown, TX
Thanks, brianoz, for agreeing with me! I've been watching this thread hoping someone could shed some light on this. I can't image there's no solution (except to simply zero out those SA rules, which I doubt would be a good idea).

My fingers are crossed hoping someone else has a clever solution to our SpamAssassin problem.

Matt