[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1081
  • Last Modified:

Exim server configuration used as a backup mx record. Need to configure to avoid backscatter

Hi there.

I work for an ISP, and we provide a linux exim mail server as a backup mx for our clients. The problem is that we are now being listed on backscatter lists as we are sending User unknown replies when we get that reply from the customers email server.

This works fine most of the time but when forged 'from' email is sent our exim server is replying to that from address even though that from address didn't send the email in the first place.

How exactly can we fix this? We still want to provide a backup mx to our customers. Is there a way that we can configure exim to check a user exists first by opening a rcp session to their mail server before sending on email?

We cannot disable NDR's as that will prevent legitimate senders from getting NDR's to an old address.

Has anyone got any experience of this scenario at all?
  • 2
1 Solution
I remember having to do this for a maill gateway, otherwise we ended up with loads of frozen messages in the queue.

As I recall, you wou need a setup as follows:

* Exim must be complied with exiscan (this will allow it to run checks before it accepts the message).
* Add your clients' domains to your relay_to_domains.
* (Not sure if this step is absolutely necessary.) Set up your clients' mail servers in the hubbed_hosts file in your exim config directory. (check youe exim documentation for the syntax - I think it is the form: "domain.com: mailserver.domain.com" - one line per server)
* Have the following section in your acl_check_rcpt section (careful where you put this directive - order matters i.e. of you use DNSBL, or SPF checking, you would want to deny the message before it got to this check):
    domains = +relay_to_domains
    verify = recipient

That should just about do it however, you should consider that in the case of a backup mailserver, it would only be used when the primary mailserver is unavailable. If you are using the primary mailserver as your hubbed host (or not using a hubbed host at all), your backup mailserver would not accept mail for your client if the primary was offline, thus defeating the porpose of the backup mailserver.

Depending on how your clients have setup their servers, you may be able to define a hubbed host that can accept mail (and thus verefy that the recipient address is valid), and is not their primary incoming MX.

You should also bear in mind that the configuration can be stored in different places depending on what flavour of linux you are running, and weather you are using split config or not.

Hope this helps you somewhat.
Just dug up an old config file and realise that I have missed one small but essensial part:

*Make sure your acl_check_rcpt has the following in it somewhere (ubuntu has it there already):

    !acl = acl_local_deny_exceptions
    recipients = ${if exists{CONFDIR/local_rcpt_callout}\
    !verify = recipient/callout

*Create a file in your exim config directory called local_rcpt_callout with a list of domains that you wish to check receipient addresses for with one line per domain.

Make sure you check your exim documentation for information on callouts.
MagyarkeAuthor Commented:
Thanks Swanny. I'm back at work tomorrow and will be discussing this within the team. I'll let you know how it goes

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now