Exim and backup relays

[Ian Spray]

On Thu, Jun 11, 2009 at 11:50:03AM +0100, Longman wrote:
> 
> Ever since setting up a backup MX for my domain (via relay domains) I've
> started receiving lots of Frozen Message emails for Frozen Emails in the
> queue on this backup MX. It looks like spammers are using the the backup
> MX to send email to non-existant recipients (computer generated nonsense
> in most cases), but of course they're accepted because their all to
> accounts within my domain that I've told it to relay for.  What is the
> correct way to try and combat this? Is there a way to get the backup
> relay to contact the primary relay to get a list of valid email accounts
> thereby junking nonsense recipients, or some other method to put paid to
> this?  Currently I have 9468 Frozen Messages!
>
Yup - this is a common problem.  One very quick fix (which works for all 
systems and not just exim) is a bogus last MX record.  The spammers do 
tend to start at the lowest numbered MX and work up, so this cuts things 
down a little, but isn't a full solution:

$ dig mx minimal.cx

; <<>> DiG 9.3.4-P1 <<>> mx minimal.cx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35948
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 5

;; QUESTION SECTION:
;minimal.cx.                    IN      MX

;; ANSWER SECTION:
minimal.cx.             3600    IN      MX      10 mail.minimal.cx.
minimal.cx.             3600    IN      MX      20 mail.minimal.org.uk.
minimal.cx.             3600    IN      MX      30 mx01.gratisdns.de.
minimal.cx.             3600    IN      MX      100 bogus.spam.trap.

Can you spot the fake entry ?  ;)

The other, exim specific thing is to get your backup MX to test during 
SMTP receive with the primary to see if the destination address is valid 
and cache the results.  Your system then rejects during the SMTP receive 
phase if either the lookup or the cache indicates a failure, and nothing 
hits your queue.  Put this in your acl_smtp:rcpt:

   deny   domains = +relay_to_domains
	  recipients = ${if exists{/etc/exim/local_rcpt_callout}\
			 {/etc/exim/local_rcpt_callout}\
		       {}}
	  !verify = recipient/callout=2m,defer_ok

and then put a list of domains into the file specified that you want to 
do this receive time check on in /etc/exim/local_rcpt_callout, 
eg:

domainname.co.uk
otherdomain.org
another.eu

This allows you to choose a subset of your relay domains to do this with 
- if you don't care and want to do the callout checking on all entries 
  in the relay_to_domains then just remote the recipients line above.

I chose to only cache the results of the callout heck for 2 minutes as 
the domains I backup MX for are nothing to do with me and I don't want 
to annoy the admins by bouncing fresh accounts.  If you know how often 
the other domains have new addresses then do bump up that timeout to 
reduce the traffic betwene you and the real MX receiver ever further.

Note that if the primary MX is down and fails to answer then email will 
queue up normally (including all spam !), but that's a small price to 
pay for not having to maintain many lists of valid acounts.

HTH,
-- 
Ian Spray
GPG Fingerprint: D170 35A3 C858 6E85 9B5B  1557 4CD5 6F6F E176 2D0A