Exim Sender Callout Whitelist not Workng ..
Some mailservers do not support sender verify, My EXIM system is configured to use sender verify.
Some email addresses on servers not suporting sender/verify are know to be valid but fail when my server receives them because the mail server does not respond to my outgoing sender/verify request .
I'm sure there is a way to whitelist certain email addresses in EXIM by SSH to the server, and editing the exim.conf and editing the exim_whitelist_senders file, because I have done so several years ago.
However this does not apear to work anymore, or I'm not doing it correctlty.
Could one of you experts please assist ..
Many, Many Thanks.
Some email addresses on servers not suporting sender/verify are know to be valid but fail when my server receives them because the mail server does not respond to my outgoing sender/verify request .
I'm sure there is a way to whitelist certain email addresses in EXIM by SSH to the server, and editing the exim.conf and editing the exim_whitelist_senders file, because I have done so several years ago.
However this does not apear to work anymore, or I'm not doing it correctlty.
Could one of you experts please assist ..
Many, Many Thanks.
ASKER
Thanks for that ..
I'll put it another way, or maybe I'm wrong ..
When an email is received by my server which has sender/verify active the email is put on the holding queue and a request is sent back to the domain of sender. If the the domain of the sender fails to respond within a certain time period then the held email is not delivered to the apropriate mailbox on my server.
Therefore if the email has incorrect headers it will be blocked by my server, and not delivered to the mailbox.
Sometimes it is known that a particular email address is good but its mailserver does not respond to ' sender/callout' requests in that case it
is possible to bypass 'sender/callout' by using an exim configuration something like -
!verify = sender/callout=30s,defer_o
!senders = +whitelist_senders.
Thats what is not working and I wondered if anything had changed recently.
In the past I have had massive hits from spammers mainly from insecure websites and re-acted by turning up my security profile in all ways possible.
Using 'sender/callout' does obviously loose some emails, but that is better than being 'hit' by a spammer and having ones shared IP addresses blackisted, and then losing customers.
Chris.
I'll put it another way, or maybe I'm wrong ..
When an email is received by my server which has sender/verify active the email is put on the holding queue and a request is sent back to the domain of sender. If the the domain of the sender fails to respond within a certain time period then the held email is not delivered to the apropriate mailbox on my server.
Therefore if the email has incorrect headers it will be blocked by my server, and not delivered to the mailbox.
Sometimes it is known that a particular email address is good but its mailserver does not respond to ' sender/callout' requests in that case it
is possible to bypass 'sender/callout' by using an exim configuration something like -
!verify = sender/callout=30s,defer_o
!senders = +whitelist_senders.
Thats what is not working and I wondered if anything had changed recently.
In the past I have had massive hits from spammers mainly from insecure websites and re-acted by turning up my security profile in all ways possible.
Using 'sender/callout' does obviously loose some emails, but that is better than being 'hit' by a spammer and having ones shared IP addresses blackisted, and then losing customers.
Chris.
It would be better to first accept users based on the white list...
and in a separate ACL verify the callout.
You cannot do an OR in ACL's. all the rules in the set need to apply.
If you need more tests then create a separate ACL that only verifies this aspect.
and refere to that list from this flow.
and in a separate ACL verify the callout.
You cannot do an OR in ACL's. all the rules in the set need to apply.
If you need more tests then create a separate ACL that only verifies this aspect.
and refere to that list from this flow.
ASKER
Hi,
I have for now turned off 'sender verification', many are saying that it is a 'bad polycy' anyway, which must be 'good news' for spammers.
I will keep it in reserve so can turn it back on during 'stressful' periods.
I will still need the additional ACL as suggested by noci, but at the moment do not have the space in which to experiment.
Regards, ChrisColeman
I have for now turned off 'sender verification', many are saying that it is a 'bad polycy' anyway, which must be 'good news' for spammers.
I will keep it in reserve so can turn it back on during 'stressful' periods.
I will still need the additional ACL as suggested by noci, but at the moment do not have the space in which to experiment.
Regards, ChrisColeman
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
David,
thank you - perfect ..
I had to set a domain key for DKIM -
But since this check is dependent upon a 'key exchange' what happens if I receive an email from a DNS that does not have a DKIM key, or is normal for all/most servers to define a key ?
Chris.
thank you - perfect ..
I had to set a domain key for DKIM -
But since this check is dependent upon a 'key exchange' what happens if I receive an email from a DNS that does not have a DKIM key, or is normal for all/most servers to define a key ?
Chris.
A DNS system will not send you a mail.... (normally)
Most spam systems score mails according to some aspects on it.
IF DKIM valid add -2
IF SPF valid add -1
IF address on blacklist ADD +30
IF address on bulk list add +1
....
And if the score is a bove a certain threshhold (somewhere around 8 in most systems based on spamassasin) it will become blocked, or passed with warning (score between 5-8).
So a Domain that has no DKIM key will not be checked, (it will not have a negative score on that w.r.t. SPAM rating either).
Key exchange... well, not exactly. There is a Public Key stored in DNS, and a private key only on the server.
The server takes a list of mail areas (like body text, subject, from, to, ...) and computes a Cryptographic hash (Signature)
and encrypts it with the secret key. (the system is clearly using a Private/Public key pair).
If both sides do the same calculation (hash), and the decrypted hash is the same, then the mail must originate from the original sender.
==> your SPAM score is adjusted.
Currently anyone that wan't mail to be delivered needs to setup DKIM, SPF, ..
Most spam systems score mails according to some aspects on it.
IF DKIM valid add -2
IF SPF valid add -1
IF address on blacklist ADD +30
IF address on bulk list add +1
....
And if the score is a bove a certain threshhold (somewhere around 8 in most systems based on spamassasin) it will become blocked, or passed with warning (score between 5-8).
So a Domain that has no DKIM key will not be checked, (it will not have a negative score on that w.r.t. SPAM rating either).
Key exchange... well, not exactly. There is a Public Key stored in DNS, and a private key only on the server.
The server takes a list of mail areas (like body text, subject, from, to, ...) and computes a Cryptographic hash (Signature)
and encrypts it with the secret key. (the system is clearly using a Private/Public key pair).
If both sides do the same calculation (hash), and the decrypted hash is the same, then the mail must originate from the original sender.
==> your SPAM score is adjusted.
Currently anyone that wan't mail to be delivered needs to setup DKIM, SPF, ..
ASKER
Yes - please forgive the error - A DNS does not send emails - the security keys are associated with the primary DNS ...
Do I need a second key for my secondary DNS ?
Also yes there is no key exchange it's really to do with encryption of certain parts of the message, and if the receiver does not support it it's not checked .
Any way thats all installed and have checked SPF and DKIM results in mail headers (look good) !
Next move DMARC but not today.
Many Thanks.
Do I need a second key for my secondary DNS ?
Also yes there is no key exchange it's really to do with encryption of certain parts of the message, and if the receiver does not support it it's not checked .
Any way thats all installed and have checked SPF and DKIM results in mail headers (look good) !
Next move DMARC but not today.
Many Thanks.
Secondary DNS should receive the records from the Master DNS server (as they are slaves from it).
You may need to setup also-notify to expedite the updates.
If you mean your DNS servers send mail then yes you need a key for each mail-server, it can be the same, but it would be wise to give each server it's own selector.
When you decommision one, you can remove the associated key without problems on other servers.
If one machine get compromised the others are still safe. and you can turn off that machine and still have not lost the keys of still running servers.
You may need to setup also-notify to expedite the updates.
If you mean your DNS servers send mail then yes you need a key for each mail-server, it can be the same, but it would be wise to give each server it's own selector.
When you decommision one, you can remove the associated key without problems on other servers.
If one machine get compromised the others are still safe. and you can turn off that machine and still have not lost the keys of still running servers.
Your question requires more clarification.
You can't effect verification support on any other server except your own server.
Unsure how whitelisting addresses on your own server effects this.
Best if you start at the beginning + use actual addresses + exactly what you're trying to accomplish.
Likely there's a way to achieve your goal.