RBL Checks and Unknown Users Options

[RickG]

Thanks for the great set of anti-spam instructions.

After implementing the RBL checks and tailing exim_mainlog, I noticed if a message comes in for an "unknown user" and it so happens the sender's IP is on a RBL, the rejected message only references the RBL block -- nothing about the invalid user.

Given this, would it be more / less efficient to place the verify = recipient section before the RBL check? If the user doesn't exist (and all accounts are set to :fail:), why bother with the RBL check? Just curious -

[pairote]

>> Given this, would it be more / less efficient to place the verify = recipient section before the RBL check? If the user doesn't exist (and all accounts are set to :fail:), why bother with the RBL check? Just curious

You may try it. It might be more efficient. Please test it and let us know. To move the verify user above RBL, you cannot simple swicth the ACL, you have to modify and add a couple of lines to make it work. Below ACL is a suggested ACL. Take it as your own risk.
Current ACL:

CODE

##
# Reject email sent from server listed in DNS blacklists.
##
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
# RBL Bypass Local Domain List
!domains = +rv_rbl_receiver_domain_whitelist
# RBL Whitelist Incoming hosts
!hosts = +rv_rbl_server_ip_whitelist
# RBL Bypass Sender Domain List
!senders = +rv_rbl_sender_address_whitelist
# The following is a list of RBL to check for spam.
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
relays.ordb.org

                                                                                                                                        
##
# If the receiver domain is on this server, accept only the receiver email addresses that exist.
# Default address for the receiver domain have to set to :fail: to work with this ACL.
# If the default address set to :blackhole: or /dev/null, Exim will always think that email exist
# and pass to lower ACL. Domains being attacked by dictionary attack spam are suggested to set
# default address to :fail:.
##
accept domains = +local_domains
       endpass
       message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
       log_message = unknown user
       verify = recipient

accept  domains = +relay_domains

New ACL

CODE

##
# If the receiver domain is on this server, deny if the receiver email addresses doesn't exist.
# Default address for the receiver domain have to set to :fail: to work with this ACL.
# If the default address set to :blackhole: or /dev/null, Exim will always think that email exist
# and pass to lower ACL. Domains being attacked by dictionary attack spam are suggested to set
# default address to :fail:.
##
deny domains = +local_domains
       !verify = recipient
       log_message = unknown user
       message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."

##
# Reject email sent from server listed in DNS blacklists.
##
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
!hosts = @[]
!hosts = +rv_relay_hosts
!authenticated = *
# RBL Bypass Local Domain List
!domains = +rv_rbl_receiver_domain_whitelist
# RBL Whitelist Incoming hosts
!hosts = +rv_rbl_server_ip_whitelist
# RBL Bypass Sender Domain List
!senders = +rv_rbl_sender_address_whitelist
# The following is a list of RBL to check for spam.
dnslists = list.dsbl.org : \
sbl.spamhaus.org : \
relays.ordb.org

accept domains = +local_domains
accept  domains = +relay_domains

[RickG]

I've implemented the revised ACL code and so far so good. In tailing exim_mainlog, I now see the following behavior:

1) If mail arrives for an unknown user, system simply rejects w/o going through the RBL check.
2) RBL checks are still performed against mail for valid users and rejecting if on a blacklist.
3) I've also sent mail (authenticated) through the server and everything is working "as designed."

This scenario (i.e. not bothering with the RBL check if the user does not exist) seems to make a lot of sense and should be even more resource friendly. We're using the RBL checks with the complete set of HELO tests and its having a huge impact on blocking spam (and reducing the subsequent load on SpamAssassin etc.)

I'll keep an eye on things and report back if I run into any issues.

Thanks again!

[Sergio]

I have done this MOD, but found this error in my Exim_Paniclog:

CODE

Exim configuration error in line 865 of /etc/exim.conf: group mail was not found

It only appeared once.

Regards,
Sergio