Mailing List Archive

Creating local blacklist
Re: Exim version 4.89 #1 built 01-Dec-2017 12:50:23

I tried searching the archive, but I suspect that my key word (blacklist)
wasn't good enough. I thought there would be more posts about how to do
local blacklisting. I even tried the wiki, but the blacklist topic just
points back to the home page.

So, here I am. Hopefully the subject line I used will be helpful for
future archive searching.

In my exim.conf file I've added the following line:

domainlist relay_to_domains =
--> domainlist exim_blacklist = lsearch;/etc/exim/eximblacklist

In the /etc/exim/eximblacklist file is the single line: qq.com
It is set to 644 root root.

I've also added the following lines:

#############################################################################
# Deny from particular domains
driver = redirect
# RBL Blacklist incoming hosts
domains = +exim_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
#############################################################################

The lines were added after the section that contains the following line in
the acl_check_rcpt: section:

# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

Restarting exim (Linux Fedora server) results in it failing. I have no idea
as to what I am doing. I found those lines via google and they don't work.

I just noticed in the following manual section:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html

that "acl_check_rcpt:" doesn't exist. But, there is a fleeting reference to
it later on.

Color me confused.

Thanks for any pointers.

As a side note, the qq.com domain is nothing but spam e-mail from China.

MB
--
e-mail: vidiot@vidiot.com | vidiot@vidiot.net /~\ The ASCII
6082066843@email.uscc.net (140 char limit) \ / Ribbon Campaign
Visit - URL: http://vidiot.com/ X Against
http://vidiot.net/ / \ HTML Email
"What do you say Beckett. Wanna have a baby?" - Castle to Det. Beckett
"How long have I been gone?" Alexis after seeing Castle and Beckett w/ baby
- Castle - 11/25/13

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
On 25/04/18 15:19, Mike Brown via Exim-users wrote:
> I've also added the following lines:
>
> #############################################################################
> # Deny from particular domains
> driver = redirect
> # RBL Blacklist incoming hosts
> domains = +exim_blacklist
> allow_fail
> data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
> #############################################################################

That looks like a router.

> The lines were added after the section that contains the following line in
> the acl_check_rcpt: section:
>
> # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

I really hope not. That would be in the wrong place. Also, using a
router _could_ be done, via a sender-verify, but is baroque. The ACL
is positioned to do the job directly.

> Restarting exim (Linux Fedora server) results in it failing. I have no idea
> as to what I am doing. I found those lines via google and they don't work.
>
> I just noticed in the following manual section:
>
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
>
> that "acl_check_rcpt:" doesn't exist. But, there is a fleeting reference to
> it later on.

There is a main-section option called "acl_smtp_rcpt". It's common to
give it a value which is the name of a named ACL, and it's common for
that name to be "acl_check_rcpt". But it's your choice.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
On Wed, Apr 25, 2018 at 11:19:56PM +0100, Jeremy Harris via Exim-users wrote:
> On 25/04/18 15:19, Mike Brown via Exim-users wrote:
> > I've also added the following lines:
> >
> > #############################################################################
> > # Deny from particular domains
> > driver = redirect
> > # RBL Blacklist incoming hosts
> > domains = +exim_blacklist
> > allow_fail
> > data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
> > #############################################################################
>
> That looks like a router.
>
> > The lines were added after the section that contains the following line in
> > the acl_check_rcpt: section:
> >
> > # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
>
> I really hope not. That would be in the wrong place. Also, using a
> router _could_ be done, via a sender-verify, but is baroque. The ACL
> is positioned to do the job directly.

So, how does one set up the acl_check_rcpt section to use the exim_blacklist
that was defined to deny the incoming e-mail from the named domain?

> > I just noticed in the following manual section:
> >
> > http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
> >
> > that "acl_check_rcpt:" doesn't exist. But, there is a fleeting reference to
> > it later on.
>
> There is a main-section option called "acl_smtp_rcpt". It's common to
> give it a value which is the name of a named ACL, and it's common for
> that name to be "acl_check_rcpt". But it's your choice.

I went back and looked again and found the following:

acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime

Just curious, why bother having scl_smtp_xxxx when they become acl_check_xxxx?
Why not just use acl_smtp_rcpt? Just goes to show what little I know about
exim. I don't do anything fancy with my setup, because it is just me on my
home server.

MB
--
e-mail: vidiot@vidiot.com | vidiot@vidiot.net /~\ The ASCII
6082066843@email.uscc.net (140 char limit) \ / Ribbon Campaign
Visit - URL: http://vidiot.com/ X Against
http://vidiot.net/ / \ HTML Email
"What do you say Beckett. Wanna have a baby?" - Castle to Det. Beckett
"How long have I been gone?" Alexis after seeing Castle and Beckett w/ baby
- Castle - 11/25/13

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
Am 26.04.2018 um 03:25 schrieb Mike Brown via Exim-users:
>
> So, how does one set up the acl_check_rcpt section to use the exim_blacklist
> that was defined to deny the incoming e-mail from the named domain?
>

you don't.

acl_check_data:
....
lots of other stuff
...
  deny    condition  = ${if eq{1}{${lookup mysql{ SELECT 1 FROM
blacklist WHERE "${quote_mysql:${lc:${address:$reply_address}}}" regexp
domain LIMIT 1 }}}{yes}{no}}
          message    = The Receiver does not like you.

  accept

the field "domain" contains a regexpression of the domainname. That
allows you to block entire TLDs like ".*@com.ag" ".*@com.br" etc.

That's way better than a simple domainlist, you had in mind ;) and as
the compare operation is outsourced to mysql, it gets done with a highly
sofisicated regex engine, resulting in a better performance too ;)

Why it's in check_data instead of check_rcpt ? because the mail_from:
used in the smtp protocol is commonly different ( in spams ) from what's
written als From: or reply-to: in the email itself. This makes things
easier for you.


Have fun..

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
Hello,
I do this job in acl_check_data.

In the file deny_senders I put the domains and emailadresses I don' t want
to reach any of my users (spam).

Deny_senders ex.:

*@qq.com
*@svensinc.biz.ua
*@intersallem.eu
*@avoca37.org
*@bellis.host
*@limanaki.co.ua
*@melia.biz.ua
*@sunrise.co.ua
*@mudurnuorganik.com
*@sadsxc.akresorts.com
*@boccanervosa.com
*@instantequityhomes.com
*@creativestudio.re
*@flosmall.com.ua

acl_check_data:


deny senders = /etc/exim/deny_senders
message = Rejected: "$sender_address","$sender_address_domain"! We do not
trust your domain

Most of the spam sending adresses make a notify to proof if the adress
exists:
disposition-notification-to:Return-Receipt-To:acknowledge-to in the header.

So I stop this with the same file with a deny recipients in acl_check_rcpt

acl_check_rcpt:


deny recipients = /etc/exim/deny_senders
message = Rejected: Der Empfaenger Ist gesperrt, in unserer Blockliste!


Daniel






-----Urspr?ngliche Nachricht-----
Von: Mike Brown via Exim-users [mailto:exim-users@exim.org]
Gesendet: Donnerstag, 26. April 2018 03:25
An: exim-users@exim.org
Betreff: Re: [exim] Creating local blacklist

On Wed, Apr 25, 2018 at 11:19:56PM +0100, Jeremy Harris via Exim-users
wrote:
> On 25/04/18 15:19, Mike Brown via Exim-users wrote:
> > I've also added the following lines:
> >
> >
############################################################################
#
> > # Deny from particular domains
> > driver = redirect
> > # RBL Blacklist incoming hosts
> > domains = +exim_blacklist
> > allow_fail
> > data = :fail: Connection rejected: SPAM source $domain is manually
blacklisted.
> >
> > ####################################################################
> > #########
>
> That looks like a router.
>
> > The lines were added after the section that contains the following
> > line in the acl_check_rcpt: section:
> >
> > # deny message = rejected because $sender_host_address is in
a black list at $dnslist_domain\n$dnslist_text
>
> I really hope not. That would be in the wrong place. Also, using a
> router _could_ be done, via a sender-verify, but is baroque. The ACL
> is positioned to do the job directly.

So, how does one set up the acl_check_rcpt section to use the exim_blacklist
that was defined to deny the incoming e-mail from the named domain?

> > I just noticed in the following manual section:
> >
> > http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_c
> > ontrol_lists.html
> >
> > that "acl_check_rcpt:" doesn't exist. But, there is a fleeting
> > reference to it later on.
>
> There is a main-section option called "acl_smtp_rcpt". It's common to
> give it a value which is the name of a named ACL, and it's common for
> that name to be "acl_check_rcpt". But it's your choice.

I went back and looked again and found the following:

acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime

Just curious, why bother having scl_smtp_xxxx when they become
acl_check_xxxx?
Why not just use acl_smtp_rcpt? Just goes to show what little I know about
exim. I don't do anything fancy with my setup, because it is just me on my
home server.

MB
--
e-mail: vidiot@vidiot.com | vidiot@vidiot.net /~\ The ASCII
6082066843@email.uscc.net (140 char limit) \ / Ribbon Campaign
Visit - URL: http://vidiot.com/ X Against
http://vidiot.net/ / \ HTML Email
"What do you say Beckett. Wanna have a baby?" - Castle to Det. Beckett "How
long have I been gone?" Alexis after seeing Castle and Beckett w/ baby
- Castle - 11/25/13

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
On 26/04/18 02:25, Mike Brown via Exim-users wrote:
> On Wed, Apr 25, 2018 at 11:19:56PM +0100, Jeremy Harris via Exim-users wrote:
>> On 25/04/18 15:19, Mike Brown via Exim-users wrote:

</snip>

>
> I went back and looked again and found the following:
>
> acl_smtp_mail = acl_check_mail
> acl_smtp_rcpt = acl_check_rcpt
> acl_smtp_data = acl_check_data
> acl_smtp_mime = acl_check_mime
>
> Just curious, why bother having scl_smtp_xxxx when they become acl_check_xxxx?
> Why not just use acl_smtp_rcpt? Just goes to show what little I know about
> exim. I don't do anything fancy with my setup, because it is just me on my
> home server.

I'm not an expert on Exim, but as far as I understand the bit on the
left of the '=' sign is an Exim setting name - so that can't be changed.
The bit on the right is whatever you choose to be. So "acl_smtp_mail =
acl_check_smtp" can be read like:

"just after the server receives the the MAIL smtp command, execute the
acl named 'acl_check_mail'"

Think of "acl_check_mail" as a function name, whose contents and
functionality you define lower down in the config file.

The entities on the left (acl_smtp_mail, acl_smtp_rcpt etc.) are a
pre-defined list of acl's which you can use in Exim at various points
during processing of the email connection and messages. There are
further explanations as to what each one does and when it is called here:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html

So towards the top of exim conf you would have define the acl, if you
intend to use it lower down:

[code]

acl_smtp_mail = my_own_smtp_mail_acl

[/code]

... and lower down in exim.conf you write what my_own_smtp_mail_acl is
supposed to do or check:

[code]

# this starts the section containing all acl's
begin acl

my_own_smtp_mail_acl:

deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

deny authenticated = *
!encrypted = *
message = TLS required on authenticated connections

accept

[/code]

Most acl's have to end with 'accept' (maybe all?) - otherwise messages
or connections reaching the end of the acl without being explicitly
accepted further up would be rejected.

I hope the above helps a bit. I struggled as well when I started to use
Exim in understanding the structure and purpose of the config file - but
eventually it starts to make sense :-)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
On 26/04/18 02:25, Mike Brown via Exim-users wrote:
> So, how does one set up the acl_check_rcpt section to use the exim_blacklist
> that was defined to deny the incoming e-mail from the named domain?

You add a "deny" verb, with suitable conditions to select the items
of interest. Since you're looking at the sender domain your
condition(s) will want to use the $sender_address_domain variable.
This only becomes populated in the mail-ACL, so you'll be needing
to place this verb clause there or later (but no later than the
data-ACL).

Look at the ACL docs chapter for how to construct the verb-clause,
and the expansions and lookups chapters for how to build the
condition.
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Creating local blacklist [ In reply to ]
On Thu, Apr 26, 2018 at 09:39:37AM +0100, Jeremy Harris via Exim-users wrote:
> On 26/04/18 02:25, Mike Brown via Exim-users wrote:
> > So, how does one set up the acl_check_rcpt section to use the exim_blacklist
> > that was defined to deny the incoming e-mail from the named domain?
>
> You add a "deny" verb, with suitable conditions to select the items
> of interest. Since you're looking at the sender domain your
> condition(s) will want to use the $sender_address_domain variable.
> This only becomes populated in the mail-ACL, so you'll be needing
> to place this verb clause there or later (but no later than the
> data-ACL).
>
> Look at the ACL docs chapter for how to construct the verb-clause,
> and the expansions and lookups chapters for how to build the
> condition.

User Michael B. (not me) sent an off-list detailed e-mail regarding this
that was extremey helpful. I've now got it running.

I still have a lot to learn about exim.

MB
--
e-mail: vidiot@vidiot.com | vidiot@vidiot.net /~\ The ASCII
6082066843@email.uscc.net (140 char limit) \ / Ribbon Campaign
Visit - URL: http://vidiot.com/ X Against
http://vidiot.net/ / \ HTML Email
"What do you say Beckett. Wanna have a baby?" - Castle to Det. Beckett
"How long have I been gone?" Alexis after seeing Castle and Beckett w/ baby
- Castle - 11/25/13

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/