The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim smart relay + verification?

Discussion in 'E-mail Discussions' started by beddo, Jul 4, 2009.

  1. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Hi there,
    I've been using exim smart relays with these for a while:

    Code:
    static_route:
     driver = manualroute
     transport = remote_smtp_smart
     route_data = ${lookup{$domain}lsearch{/etc/staticroutes}}
    
    remote_smtp_smart:
      driver = smtp
      port = 25
      hosts = ${lookup{$domain}lsearch{/etc/staticroutes}}
      hosts_override
    This works wonderfully for a lot of our clients and cuts the spam load massively with the spam setup we have. The only limitation that is fairly obvious with this setup is that exim will accept mail for accounts that don't exist on the destination server and it will sit in the queue until it expires.

    Then I got to thinking. The Cpanel/exim implementation supports sender verification callouts for incoming mail. Surely there must be some way to adapt a similar feature and have exim do a lookup on the destination server before accepting the mail.

    I'm going to have a look and see if I can figure anything out myself but I have no idea where this would even start so if anyone has any pointers or has tried in the past I'd like to know what you came up with or what stopped you.

    Cheers.
     
  2. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    After many hours banging my head against a brick wall (not helped by a malfunctioning Exchange server used for testing) I have solved this myself.

    The solution is to look for the following section in the check_recipient ACL:

    Code:
    #recipient verifications are required for all messages that are not sent to the local machine
                            #this was done at multiple users requests
                            require verify = recipient
    After it, put in the following:
    Code:
      warn
        condition = ${if eq {1}{${lookup{$domain}lsearch{/etc/staticroutes}{1}{0}}}}
        add_header = X_Staticroutes: TRUE
        require verify = recipient/callout=use_sender
    
    Looks so simple. I don't think you actually need the add_header line but that won't cause any problems. I recommend this for everyone who is using staticroutes as it stops those rejected dictionary attacks from clogging up the mail queues. (Make sure you thoroughly test it out first though and don't blame me if anything goes wrong - it works for me!).
     
  3. gstevens

    gstevens Registered

    Joined:
    Dec 8, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
  4. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    I can't speak for anyone else but this has worked wonders for me. If you manage one or two remote servers then maintaining your own userfile should be manageable but I can't even begin to think of how complicated it would for us.

    We have 58 domains set up using staticroutes. Previously at any one time I would have between 300 and 600 mails sat in the exim queue because they couldn't be delivered to the destination and they couldn't go back to a fake from address. That doesn't include the ones that did go back to fake from addresses.

    Since implementing the change, I've yet to see more than 10 messages in the queue when I log on.

    To give you an idea of the mail load on my server, my mainlog files contain an average of 135,269 lines over the past 30 days with a minimum of 77,979 (Weekend) and a maximum of 171,920.

    I've looked at a few particular messages that would have gone through the verification process. They are all delivered either with the exact same timestamp or have 1 second difference. I don't appear to be experiencing any performance hits at all with this setup.
     
Loading...

Share This Page