Can RBL ignore authenticate users?

[tmallardi]

I have a number of customers who travel with their notebook computers. Obviously it's a hassle for them to reconfigure SMTP servers every time they check into a new hotel. Occasionaly they get blocked when sending email.

Is it possible to configure Exim such that RBL lookups do not occur when authenticated users attempt to relay?

 

[webignition]

Obviously it's a hassle for them to reconfigure SMTP servers every time they check into a new hotel.

Certainly would be. Why would they have to do that?

 

[tmallardi]

Certainly would be. Why would they have to do that?

Many people are advised to configure their mail client to use the SMTP server of the ISP they are connected to. In the case of traveling computers, it would be a hassle to change your SMTP settings every place you go, right?

So, I'd like to configure Exim on the server side to not do a RBL lookup on authenticated users trying to relay. Therefore, they can keep their smtp settings the same, and avoid possibly being rejected when attempting to relay from a dynamic ISP connection.

 

[danimal]

me too!

I am also very interested in doing this.

I have a client whose verizon dsl assigned IP is listed in dsbl.org. I know that the "right" solution is to pursue having their IP removed from the list, but in the meantime, I'd like something, even if only temporary, to let this particular client continue to send via my server.

So solutions I see:

1. turn off spamlist checking
(I'd rather not as this would be server-wide and to date it has helped reduce the mail load... I think)

2. add my client's IP to a whitelist
(this would be ok... I'm having trouble finding some good pointers to how to do this with exim, but I may just need to search more)

3. have some setting so that authenticated users can send regardless.
(this would be ideal)

Actually, now that I think about it, the only people sending FROM my server are my clients (i.e. it's not an open relay... authentication required to use SMTP)...

So I'm suddenly wondering why I want dnslist/dsbl checks on emails sent FROM my server? Doesn't it make more sense to only use it to reject emails coming IN TO my server that are from a known spam IP?

Can someone shed some light on this? And of course I welcome any specific pointers on how to set this up, either #2 or #3... or best of all, the option to not check outgoing emails against spamlists.

Thanks!

-Danimal

 

[amh007]

I have a number of customers who travel with their notebook computers. Obviously it's a hassle for them to reconfigure SMTP servers every time they check into a new hotel. Occasionaly they get blocked when sending email.

Is it possible to configure Exim such that RBL lookups do not occur when authenticated users attempt to relay?

Doesn't smtp-authentication clear this hurdle?

 

[tmallardi]

Doesn't smtp-authentication clear this hurdle?

Nope, unfortunately it does not.

For some reason, the authenticated user is subject to a RBL lookup before they can relay.

There really is no reason that an authenticated user needs to scrutinized by the blacklist, as they have already proven their credentials.

Sure would like to have this resolved so that most all RBL 's can be used in Exim.

 

[danimal]

I don't think so (although I may be wrong).

I have SMTP-Authentication on, and I've configured exim to reject when an email matches a couple of SBL lists, and a hosted client of mine cannot send emails through my server because their Verizon DSL assigned IP is listed on one of the SBLs.

I'm still trying to figure out the "cleanest" way of dealing with this. I think ultimately, I'd like to just have exim auto-whitelist anyone that sends through the server, as this would be my clients only. That way, even if a client is listed, they can still send.

(this may not be a good solution in general, but my hosting company is small and I personally know all the clients)

Thanks,

-Danimal

EDIT: I posted this thie same time as tmallardi. I'm the same boat and would also love to have this resolved.

 

[amh007]

Nope, unfortunately it does not.

For some reason, the authenticated user is subject to a RBL lookup before they can relay.

There really is no reason that an authenticated user needs to scrutinized by the blacklist, as they have already proven their credentials.

Sure would like to have this resolved so that most all RBL 's can be used in Exim.

I'm pretty certain it does, have you tested it? The dynamic-host RBL I use blocks most of my clients (including myself) if they don't use smtp-auth.

 

[tmallardi]

I'm pretty certain it does, have you tested it? The dynamic-host RBL I use blocks most of my clients (including myself) if they don't use smtp-auth.

Yep, if your IP address is on a blacklist simply because it is dynamic, you will get blocked - even when you authenticate.

This happens quite a bit with Comcast & Verizon DSL customers.

 

[amh007]

Yep, if your IP address is on a blacklist simply because it is dynamic, you will get blocked - even when you authenticate.

This happens quite a bit with Comcast & Verizon DSL customers.

Something is getting lost in the translation here, so one last attempt.

I am a Verizon DSL customer.
I get blocked by my mail server's use of a DUL RBL.
I enable smtp authentication in my mail client.
I no longer get blocked.

Good luck guys.

 

[danimal]

amh007,

This is exactly the situation I'm in, but my client is still getting blocked. Would you mind posting your /etc/exim.conf file. I'm wondering if there is a different configuration on your server.

What you have is exactly what I'd like it to be on my server, I'm just not sure how.

Thanks!

-Danimal

 

[amh007]

I'll give you my customizations, everything else is default cpanel/exim config. This is from advanced mode edit of course.

1st input box:

# 20060710/amh begin
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist
# 20060710/amh end

3rd input box, just after "accept hosts":

# 20060710/amh begin
# Always accept mail to postmaster & abuse for any local domain
accept domains = +local_domains
local_parts = support:postmaster:abuse

deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = \
multi.surbl.org: \
dul.dnsbl.sorbs.net : \
opm.blitzed.org : \
sbl-xbl.spamhaus.org :
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist 
# 20060710/amh end

and the 7th input box:

# 20060710/amh begin
# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
# 20060710/amh end

Hope that helps. That's all from assorted howto's I found googling around the web, no credit to me. Oh, if anyone sees anything wrong with this, please let me know, I'm no Exim guru

 

[tmallardi]

RESOLVED!!

The simple addition of the following modifier fixed the problem.

!authenticated = *


Thanks for the solution AMH!

Thanks to Danimal for getting this thread noticed.

 

[kemis]

Is there a way to do this same thing for SpamAssassin? In other words, when users authenticate & send through the mail server, is there any way to make SpamAssassin NOT assign points (or at least give negative points) for RBL checks that say the message was sent from a dynamic IP.

Also, can someone please explain to me why the checks say the e-mail was "sent directly from dynamic IP" and/or "dialup sender did non-local SMTP"? If a user is authenticating against the cPanel server & relaying through it, then the e-mail was really sent from the server, right? Regardless, it just doesn't make sense to me that a valid SMTP authenticated user on DSL/cable would be subject to spam points.

Thanks,
Matt

 

[srhoffman]

Everythign works except the bypass/whitelist

AMH,

I've been usign your stuff to enforce RBL's quite successfully, but for some reason it won't acknowledge whitelisted IP's, does this work for you? If so who owns and what are the permissions on the files in /etc/rbl*?

Thanks,
Steve

 

[claudio]

guys

thanks for the tips of this thread,

1) this
!authenticated = *

is not avoiding authenticated users of beign listed : (((

white list do work if you place the name of the network domain that the ip carry together from its isp what gives a huge work and sometimes there is no domain name to add...

2)
after add this RBL to my exim everything is far better

but clamav is not working anymore

any clues?

thanks

Claudio

 

[brianoz]

My problem is with SpamAssassin too, that is, a travelling user sends email through our smtp server and is coming up with points for an RBL match.

Anyone know how to turn this off for authenticated users?

 

[kemis]

Thanks, brianoz, for agreeing with me! I've been watching this thread hoping someone could shed some light on this. I can't image there's no solution (except to simply zero out those SA rules, which I doubt would be a good idea).

My fingers are crossed hoping someone else has a clever solution to our SpamAssassin problem.

Matt

 

[brianoz]

Well yes, particularly when the travelling user is myself