Enable dnsdb in Exim

Phillip Baker shared this idea 3 years ago
Completed

Since some time in 2009, dnsdb has been part of the default build of Exim (http://bugs.exim.org/show_bug.cgi?id=847) but it appears that it is actively disabled by cPanel (checked in Exim 4.82-2-cp1136).

dnsdb support would add a tiny overhead (approximately 4kb in size to the binary) and enables a really useful advanced ACLs in Exim based on DNS records.

As a topical example, with dnsdb support it would be possible to disable sender callout verification for domains based on MX record whilst still leaving callouts otherwise enabled; this is especially relevant as Hotmail have decided to start blacklisting people who they perceive to be doing namespace mining, and a sender verify callout is indistinguishable from namespace mining.

Disabling sender callouts based on Hotmail's MTA IP addresses is insufficient to address this issue, as mail with a forged from header from 3rd party servers would still cause callouts to happen to hotmail, and still cause you to be blacklisted. Not to mention the fact that you'd have to maintain (more than likely by hand) a list of IP addresses in the exemption list to keep up with changes Microsoft make, etc. Instead, it would be possible to create a sender verify callout that first tests if the domain in the from header does NOT have MX records pointing to mx{n}.hotmail.com.

Some other examples of what you could do with dnsdb (taken from http://www.gossamer-threads.com/lists/exim/users/83521#83521):

  1. A plain PTR lookup without the equivalent forward lookup.
  2. Checking whether or not an SPF record exists for a domain
  3. Setting $smtp_active_hostname to the PTR record for $interface_address
  4. Querying the TOR exit node list
  5. Querying an "emailbl"
  6. Checking how many MX records a domain has
  7. Checking if a domain name has NS servers or not
  8. Checking if the NS servers for a domain are listed on some DNS based BL
  9. Automatically checking if the connecting host has connected to the primary MX or secondary MX for the domain it is attempting to deliver mail to.

Other people have previously asked for this:

Another user who's wanted to use rules that rely on dnsdb:

Comments (9)

photo
1

I have no idea why that's formatted so badly. Let's try reformatting it again to make it readable:

Since some time in 2009, dnsdb has been part of the default build of Exim (http://bugs.exim.org/show_bug.cgi?id=847) but it appears that it is actively disabled by cPanel (checked in Exim 4.82-2-cp1136).

dnsdb support would add a tiny overhead (approximately 4kb in size to the binary) and enables a really useful advanced ACLs in Exim based on DNS records.

As a topical example, with dnsdb support it would be possible to disable sender callout verification for domains based on MX record whilst still leaving callouts otherwise enabled; this is especially relevant as Hotmail have decided to start blacklisting people who they perceive to be doing namespace mining, and a sender verify callout is indistinguishable from namespace mining.

Disabling sender callouts based on Hotmail's MTA IP addresses is insufficient to address this issue, as mail with a forged from header from 3rd party servers would still cause callouts to happen to hotmail, and still cause you to be blacklisted. Not to mention the fact that you'd have to maintain (more than likely by hand) a list of IP addresses in the exemption list to keep up with changes Microsoft make, etc. Instead, it would be possible to create a sender verify callout that first tests if the domain in the from header does NOT have MX records pointing to mx{n}.hotmail.com.

Some other examples of what you could do with dnsdb (taken from http://www.gossamer-threads.com/lists/exim/users/83521#83521):

  1. A plain PTR lookup without the equivalent forward lookup.
  2. Checking whether or not an SPF record exists for a domain
  3. Setting $smtp_active_hostname to the PTR record for $interface_address
  4. Querying the TOR exit node list
  5. Querying an "emailbl"
  6. Checking how many MX records a domain has
  7. Checking if a domain name has NS servers or not
  8. Checking if the NS servers for a domain are listed on some DNS based BL
  9. Automatically checking if the connecting host has connected to the primary MX or secondary MX for the domain it is attempting to deliver mail to.

Other people have previously asked for this:

https://forums.cpanel.net/f145/add-support-dnsdb-lookups-exim-198111.html

http://forums.cpanel.net/f5/exim-lookups-51540.html

Another user who's wanted to use rules that rely on dnsdb:

http://forums.cpanel.net/f5/filter-spam-image-question-60294.html

photo
1

Phillip Baker wrote:

I have no idea why that's formatted so badly. Let's try reformatting it again to make it readable

Thank you for submitting a reformatted version. I updated the original request.

photo
1

Fighting spam is very difficult, especially when very important tools like DNSDB are not enabled. I am very upset about this.

photo
1

Must have!

photo
1

This needs to be done. A very useful feature for killing spam.

photo
1

This is one of those features that when you need it, not having it is a huge pain in the ***.

photo
1

Yes, please enable by default dnsdb.

photo
1

Ken, we need this!

photo
3

Hi, we have updated exim for 11.50. DNSDB will be included.

Comments have been locked on this page!