I am learning more about filtering emails in exim and blocking them in fail2ban but I can’t figure out a couple cases.
CASE 1: SPAM RELAY NOT BEING BLOCKED
I get bot-spam attacks in groups of 100 within a few milliseconds with 100 different spam email users off my domain. I would like to drop this is in exim and understand the correct way to test this so I can do this on my own in the future.
LOG:
2024-02-12 05:06:29 H=(no-data) [60.29.127.226] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted
2024-02-12 05:06:29 H=(no-data) [60.29.127.226] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted
ADD TO EXIM CONFIG UNDER: acl_check_rcpt:
drop message = relay not permitted
hosts = !+whitelist
Will this work as expected? And how do I test it? If not, can someone let me know the correct way to do this (and a little explanation if possible so I can do it myself in the future)
CASE 2: LEGITIMATE EMAIL BEING BLOCKED
There are a couple legitimate entries like this that get blocked by exim.
LOG:
2024-02-11 23:50:53 H=(mta.xcelenergy-emailnews.com) [64.132.92.27] X=TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_GCM:128 CV=no F=<bounce-1966494_HTML-1973978360-77314961-10855369-153034@bounce.XcelEnergy-EmailNews.com> temporarily rejected RCPT <[email protected]>: Could not complete sender verify
2024-02-12 06:07:14 H=(mta3.sendtax.hrblock.com) [64.132.92.187] X=TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_GCM:128 CV=no F=[<bounce-34_HTML-11915817-163703-10975097-1944@bounce.sendtax.hrblock.com>](mailto:bounce-34_HTML-11915817-163703-10975097-1944@bounce.sendtax.hrblock.com) temporarily rejected RCPT [<[email protected]>](mailto:[email protected]): Could not complete sender verify
I think it’s best to keep sender verify on in general. True? So do I whitelist these two domains? Or? I would like to be able to let these through.
Thanks!