The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RBL config exim

Discussion in 'General Discussion' started by luis, Dec 1, 2005.

  1. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    I'm trying to configure exim to use sbl-xbl.spamhaus.org and bl.spamcop.net and after lots and lots of reading and experimenting I still can't hit the nail on the head.

    I can get the filters to work great... well, too great really, i mean, If one of my clients home computer IP is on one of these lists he gets trapped in the filter, that, of course is not an option.

    I'm using the following command exactly after accept hosts = :

    deny message = Your IP is blacklisted. More info: $dnslist_text
    dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net
    !authenticated = *
    !hosts = +relay_hosts

    I have tried with both !authenticated = * and !hosts = +relay_hosts commands and each one individually, but clients with blacklisted IP in their home computer still get caught in the filter.

    Any ideas?

    Thanks guys
     
  2. destr0yr

    destr0yr Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Kelowna, BC.
    In /etc/exim.conf, after:
    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
    I added:
    Code:
     drop dnslists = sbl-xbl.spamhaus.org :  bl.spamcop.net
             message = your mail server $sender_host_address is in a black list \
                    at $dnslist_domain ($dnslist_text)
    
     require verify = reverse_host_lookup
             message = your mail server IP address ($sender_host_address) has no reverse DNS PTR hostname
    
    Not sure if this is working or not :D Correct me if I'm wrong.
     
  3. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    That part woks for me, The problem is that if one of my server users has his home computer IP listed on one of those blacklists he can't sent email...
    I'm trying to figure out how to make exim let my customers send email even if they are on a blacklisted IP on their home computer.

    A good option would be to let the hosts on the relay list send email without the rbl check. I think that is what the "!hosts = +relay_hosts" command is suposed to do but if I use it the filter still blocks them.

    Anyone?
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
  5. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Thanks nyjimbo. The problem is that my clients IP's are dinamic so i don't think a custom whitelist will work here... what do you think? You see something wrong in the config I posted on my first post?

    Code:
    deny message = Your IP is blacklisted. More info: $dnslist_text
    dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net 
    !authenticated = *
    !hosts = +relay_hosts
    Because my problem is that these commands are not working as they should...

    I mean... the "!hosts = +relay_hosts" part is suposed to be letting all my users send email... but in my case my users with blacklisted IPs on their home computers are still getting caught on the filter.

    Here is my complete ACL

    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
    
    deny message = Your IP is blacklisted. More info: $dnslist_text
    dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net 
    !authenticated = *
    !hosts = +relay_hosts
    
        drop hosts = /etc/exim_deny
            !hosts = /etc/exim_deny_whitelist 
            message = Connection denied after dictionary attack
            log_message = Connection denied from $sender_host_address after dictionary attack 
            !hosts = +relay_hosts
            !authenticated = *
    
    
        drop message = Appears to be a dictionary attack
            log_message = Dictionary attack (after $rcpt_fail_count failures)
            condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
            condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
            !verify = recipient
            !hosts = /etc/exim_deny_whitelist 
            !hosts = +relay_hosts
            !authenticated = *
    # Accept bounces to lists even if callbacks or other checks would fail
    
    
    
    
      #if it gets here it isn't mailman
                                                                                                                                               
      #sender verifications are required for all messages that are not sent to lists
                                                                                                                                               
      require verify = sender
      accept  domains = +local_domains
      endpass
                                                                                                                                               
      #recipient verifications are required for all messages that are not sent to the local machine
      #this was done at multiple users requests
                                                                                                                                               
      message = "The recipient cannot be verified.  Please check all recipients of this message to verify they are valid."
      verify = recipient
                                                                                                                                               
      accept  domains = +relay_domains
    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
            hosts = +relay_hosts
      accept  hosts = +relay_hosts
                                                                                    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
            condition = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts = +auth_relay_hosts
              endpass
              message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
              authenticated = *
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
      require verify = header_sender
    
    
    ##### clamav ACL, reject virus infected mails with proper error
    
    deny message = This message contains malformed MIME ($demime_reason).
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    
    deny message = This message contains a virus or other harmful content \
    ($malware_name)
    demime = *
    malware = *
    
    deny message = Potentially executable content. If you meant to send this file \
    then please package it up as a zip file and resend it. 
    demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
    
    # Add X-Scanned Header
    
    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    
    ##### end clamav ACL
    
    
      accept
    Thanks in advance
     
  6. centaur777

    centaur777 Active Member

    Joined:
    Apr 9, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    This is a good page for ACL's http://www.rvskin.com/index.php?page=public/antispam

    According to that page you should put the "Blacklist portion" after require verify = sender instead of after accept hosts = :

    Based upon that article, I think your ACL might work like this:
    ------------------------
    #sender verifications are required for all messages that are not sent to lists

    require verify = sender

    # Reject email sent from server listed in DNS blacklists.
    deny message = your mail server $sender_host_address is in a black list \
    at $dnslist_domain ($dnslist_text)
    !hosts = +relay_hosts
    !authenticated = *
    dnslists = relays.ordb.org :\
    sbl-xbl.spamhaus.org :\
    bl.spamcop.net :\

    #recipient verifications are required for all messages that are not sent to the local machine
    #this was done at multiple users requests
    accept domains = +local_domains
    endpass
    message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
    verify = recipient

    accept domains = +relay_domains
    ------------------------

    Do let me know if it works.
     
  7. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Does not make much sense but I moved the order of the commands and it worked (well... so far so good)

    It ended like this:

    Code:
        drop message = Your IP is blacklisted. More info $dnslist_text
            !hosts = +relay_hosts
            !authenticated = *
            dnslists =  sbl-xbl.spamhaus.org :  bl.spamcop.net :
    It seems to be now somehow interfering with the dictionary attack ACL so I changed the deny to drop. :confused:
     
  8. centaur777

    centaur777 Active Member

    Joined:
    Apr 9, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Hmmm

    Paste your entire ACL after changes. That would help find why RBL is interfering with your Dictionary Attack ACL.

    Also if someone else could paste their ACL here, you may be able to compare and find out if your RBL lines are appearing in correct format (and in correct order) or not.
     
  9. SubZero

    SubZero Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Balmumcu, Istanbul, TR
    Here is mine:
    Code:
    #!!# ACL that is used while connecting
    check_connect:
      accept
    #          condition        = ${if eq{$interface_port}{25}{yes}{no}}
    
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts            = :
    
      deny    message          = Only one recipient accepted for NULL sender
              senders          = :
              condition        = ${if >{$rcpt_count}{1}{1}}
    
      accept  condition        = ${if eq{$interface_port}{587}{yes}{no}}
              endpass
              message          = SMTP authentication required for access on port 587
              authenticated    = *
    
      deny    message          = IP address ($sender_helo_name) is not an allowed HELO string
              condition        = ${if isip {$sender_helo_name}}
              log_message      = HELO string $sender_helo_name denied from $sender_host_address
    
      deny    !sender_domains  = lsearch;/etc/localdomains
              !senders         = @@lsearch;/etc/localsenders
              !hosts           = +relay_hosts
              !hosts           = /etc/exim_rbl_whitelist
              !authenticated   = *
              message          = $sender_host_address is listed in $dnslist_domain ($dnslist_text)
              dnslists         = sbl-xbl.spamhaus.org : list.dsbl.org : dnsbl.ahbl.org : \
                                 relays.ordb.org : bl.spamcop.net : dsn.rfc-ignorant.org/$sender_address_domain
                               # : dnsbl.sorbs.net : postmaster.rfc-ignorant.org/$sender_address_domain
    
      # Use "spfquery" to obtain SPF status for this particular sender/host.
      # If the return code of that command is 1, this is an unauthorized sender.
      deny    message          = SPF check failed for $sender_address_domain from $sender_host_address.
              log_message      = SPF check failed for $sender_address_domain from $sender_host_address.
              set acl_m9       = -ipv4=$sender_host_address -sender=$sender_address -helo=$sender_helo_name
              set acl_m9       = ${run{/usr/bin/spfquery $acl_m9}}
              condition        = ${if eq {$runrc}{1}{true}{false}}
    
      drop    hosts            = /etc/exim_deny
              !hosts           = /etc/exim_deny_whitelist
              message          = Connection denied for 1 hour after dictionary attack
              log_message      = Connection denied from $sender_host_address after dictionary attack
    
      drop    !verify          = recipient
              !hosts           = /etc/exim_deny_whitelist
              message          = Appears to be a dictionary attack
              log_message      = Dictionary attack (after $rcpt_fail_count failures)
              condition        = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}
              condition        = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn    message          = X-WhitelistedRCPT-nohdrfromcallback: Yes
              condition        = ${if and {{match{$local_part}{(.*)-bounces\+.*}}{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}{yes}{no}}
    
      accept  condition        = ${if and {{match{$local_part}{(.*)-bounces\+.*}}{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}{yes}{no}}
    
      warn    message          = X-WhitelistedRCPT-nohdrfromcallback: Yes
              condition        = ${if and {{match{$local_part}{(.*)-bounces\+.*}}{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}}{yes}{no}}
    
      accept  condition        = ${if and {{match{$local_part}{(.*)-bounces\+.*}}{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}}{yes}{no}}
    
      #if it gets here it isn't mailman
    
      #sender verifications are required for all messages that are not sent to lists
      #recipient verifications are required for all messages that are not sent to the local machine
      #this was done at multiple users requests
    
      require verify           = sender
      accept  domains          = +local_domains
              endpass
              message          = Please check all recipients of this message to verify they are valid.
              verify           = recipient
    
      accept  domains          = +relay_domains
    
      warn    message          = ${perl{popbeforesmtpwarn}{$sender_host_name}}
              hosts            = +relay_hosts
      accept  hosts            = +relay_hosts
    
      warn    message          = ${perl{popbeforesmtpwarn}{$sender_host_address}}
              condition        = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition        = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts            = +auth_relay_hosts
              endpass
              message          = $sender_fullhost is currently not permitted to relay. Please enable SMTP Authentication in your email client.
              authenticated    = *
    
      deny    message          = $sender_fullhost is currently not permitted to relay. Please enable SMTP Authentication in your email client.
    
    #!!# ACL that is used after the DATA command
    check_message:
      require verify           = header_sender
      ######## EXISCAN ACL #########
      deny    message          = This message contains malware ($malware_name).
              malware          = *
      deny    message          = The $found_extension extension not allowed. Resend them in ZIP or RAR.
              demime           = ade:adp:bas:bat:cmd:com:cpl:crt:exe:hta:lnk:pif:prf:reg:scr:url:vbs:vbe:wsc:wsf:wsh
    #          demime          = chm:eml:hlp:inf:ins:isp:jse:mdb:mde:msc:msi:msp:pcd:sct:shs
      warn    message          = X-Antivirus: Clear (${readsocket{/var/clamd}{VERSION}{2s}{}{Clam AntiVirus Scanner}})
      ######## EXISCAN ACL #########
      accept
     
    #9 SubZero, Dec 6, 2005
    Last edited: Dec 6, 2005
  10. Harryhood

    Harryhood Well-Known Member

    Joined:
    Jun 3, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Gamehenge
    Have you gotten this figured out by any chance? I'd be interested if you did. I have the same (or similiar) issue where the rbl blacklisting is effecting outgoing mail as well as incoming.
     
Loading...

Share This Page