Mailing List Archive: exim: users

ACL rewrite

Index | Next | Previous | View Threaded

searcher at dracon

May 13, 2008, 6:26 AM

Post #1 of 14 (1270 views)
Permalink

ACL rewrite

Hi there,

how would I go about an ACL SMTP time header rewrite?
I need to check RCPT TO, that's not in the headers so can't use regular
rewrite/31_exim4-config_rewriting

Thanks
-src-

Attachments:

PGP.sig (0.19 KB)

wbh at conducive

May 13, 2008, 11:48 AM

Post #2 of 14 (1241 views)
Permalink

Re: ACL rewrite [In reply to]

Searcher wrote:
> Hi there,
>
> how would I go about an ACL SMTP time header rewrite?
> I need to check RCPT TO, that's not in the headers so can't use regular
> rewrite/31_exim4-config_rewriting
>
> Thanks
> -src-
>
>

At RCPT TO you don't yet have any headers....

Prior to DATA, all an smtp session has is a 'negotiation' situation.

Your MTA and the distant sender are introducing themselves, exchanging
credentials, describing what is available and what is wanted (connect,
helo, mail_from, rcpt_to).

Ever see two dogs meeting for the first time?

Much the same.

You can *prepare* headers to be substituted or appended later, and can
set flags to cause whatever you have prepped to be actioned. Or NOT.

But DATA is the earliest you are transferred the message and its headers
and attachments (if any).

That said, a flag, value, or string carried in an acl_m variable might
serve you better than header alteration.

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

searcher at dracon

May 14, 2008, 1:25 PM

Post #3 of 14 (1221 views)
Permalink

Re: ACL rewrite [In reply to]

Thanks for the reply Bill,

The problem here is that I need to rewrite the headers for multiple
recipients so the only way how to separate them (AFAIK) is to get in emails
one by one and check the rcpt_to value.

Since I can't touch the headers yet I need to set some flags or variables,
understood

Could you please provide some simple syntax for doing so? Checking rcpt_to
against a list of users and adding a flag at SMTP time and checking this
flag at DATA (or later) time and modifying the headers? Or just point me to
some papers which deal with this thing specifically (I found few but maybe
you know more readable ones)

Can I perhaps use this new variable even in the rewrite part?

Thank you either way

Searcher wrote:
> Hi there,
>
> how would I go about an ACL SMTP time header rewrite?
> I need to check RCPT TO, that's not in the headers so can't use regular
> rewrite/31_exim4-config_rewriting
>
> Thanks
> -src-
>
>

At RCPT TO you don't yet have any headers....

Prior to DATA, all an smtp session has is a 'negotiation' situation.

Your MTA and the distant sender are introducing themselves, exchanging
credentials, describing what is available and what is wanted (connect,
helo, mail_from, rcpt_to).

Ever see two dogs meeting for the first time?

Much the same.

You can *prepare* headers to be substituted or appended later, and can
set flags to cause whatever you have prepped to be actioned. Or NOT.

But DATA is the earliest you are transferred the message and its headers
and attachments (if any).

That said, a flag, value, or string carried in an acl_m variable might
serve you better than header alteration.

Bill

Attachments:

PGP.sig (0.19 KB)

wbh at conducive

May 14, 2008, 3:47 PM

Post #4 of 14 (1229 views)
Permalink

Re: ACL rewrite [In reply to]

Searcher wrote:
> Thanks for the reply Bill,
>
> The problem here is that I need to rewrite the headers for multiple
> recipients so the only way how to separate them (AFAIK) is to get in emails
> one by one and check the rcpt_to value.
>
> Since I can't touch the headers yet I need to set some flags or variables,
> understood
>
> Could you please provide some simple syntax for doing so? Checking rcpt_to
> against a list of users and adding a flag at SMTP time and checking this
> flag at DATA (or later) time and modifying the headers? Or just point me to
> some papers which deal with this thing specifically (I found few but maybe
> you know more readable ones)
>
> Can I perhaps use this new variable even in the rewrite part?
>
> Thank you either way
>

'Later' is the operative word.

Routers are the first 'as shipped' place that Exim processes traffic in
a 'fully' recipient-unique manner. smtp protocol doesn't support it any
earlier (unless you have courier-mta at BOTH ENDS of session, but that
is not Exim relevant).

As per-recipient information is already available in another header, you
can add a single 'flag' header OR acl_m variable value that *when
combined* with the recipient identity (AND ALSO perhaps another
lookup...) provides the unique trigger you seek.

You can use a complex conditional/lookup in a single router, ELSE a
longish chain of single-purpose routers that trigger only when their
simpler condition is met.

But I say again - the specific end result you seek (still not explained
to us) has probably already been done, and more than once, and in more
than one way.

We can't get very far in pointing you to a fitting example if all you
give us is a 'hint' at how you want to set up the first step...

What do you need to accomplish as an END result?

Bill

>
> Searcher wrote:
>> Hi there,
>>
>> how would I go about an ACL SMTP time header rewrite?
>> I need to check RCPT TO, that's not in the headers so can't use regular
>> rewrite/31_exim4-config_rewriting
>>
>> Thanks
>> -src-
>>
>>
>
> At RCPT TO you don't yet have any headers....
>
> Prior to DATA, all an smtp session has is a 'negotiation' situation.
>
> Your MTA and the distant sender are introducing themselves, exchanging
> credentials, describing what is available and what is wanted (connect,
> helo, mail_from, rcpt_to).
>
> Ever see two dogs meeting for the first time?
>
> Much the same.
>
> You can *prepare* headers to be substituted or appended later, and can
> set flags to cause whatever you have prepped to be actioned. Or NOT.
>
> But DATA is the earliest you are transferred the message and its headers
> and attachments (if any).
>
> That said, a flag, value, or string carried in an acl_m variable might
> serve you better than header alteration.
>
> Bill
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

May 14, 2008, 4:26 PM

Post #5 of 14 (1236 views)
Permalink

Re: ACL rewrite [In reply to]

W B Hacker wrote:

Correcting my own post....

*snip*

> Routers are the first 'as shipped' place that Exim processes traffic in
> a 'fully' recipient-unique manner. smtp protocol doesn't support it any
> earlier (unless you have courier-mta at BOTH ENDS of session, but that
> is not Exim relevant).

Clarifying:

Courier-mta's Extended Data Reply (EXDATA) occurs as an extra step
*during* the smtp session, but *after* the conventional DATA phase, when
it returns to a per-recipient handshake before finalizing message
acceptance/rejection.

While the technique has been proven in long-term courier-to-courier use,
it is not (yet) present in other MTA's, so both parties have to be
courier-mta AND have the feature optioned-on AND take advantage of its
advertisement in the EHLO menu.

Dumb additions to RFC's are often adopted all-too rapidly, even if MS
fingerprints are all over them.

OTOH, simple things of this sort - that add flexibility and 'JFW' - take
about 10 to 20 years to wend their way thru the RFC process, so it may
be another decade before some form of this becomes widely used.

:-(

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

searcher at dracon

May 15, 2008, 3:48 AM

Post #6 of 14 (1207 views)
Permalink

Re: ACL rewrite [In reply to]

I was 'hinting' because I already asked once quite specifically but there
were no takers for the question so I figured I'd ask something easier and go
from there..

1. I have a list of clients
2. When an email arrives for a client from this list the $h_To gets
rewritten to use a different domain
3. When an email arrives with multiple recipients where few are from the
list and others are not I want to rewrite the same header only for the
existing clients and leave it intact for others (obviously)

So I added into acl/30_exim4-config_check_rcpt

defer
message = only one recipient at a time
condition = ${if def:acl_m0 {1}{0}}

And in rewrite/31_exim4-config_rewriting I have
*@*
${lookup{$h_To:}lsearch{/etc/exim4/sc_clients}{$value}fail}
Ffrsq

Which works for a single recipients but not for multiple ones..

I will try to work out something from your suggestions below but if you can
advise anything better/further I'm all ears

Thanks

-----Original Message-----
From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
Behalf Of W B Hacker
Sent: Wednesday, May 14, 2008 23:47
To: exim users
Subject: Re: [exim] ACL rewrite

Searcher wrote:
> Thanks for the reply Bill,
>
> The problem here is that I need to rewrite the headers for multiple
> recipients so the only way how to separate them (AFAIK) is to get in
emails
> one by one and check the rcpt_to value.
>
> Since I can't touch the headers yet I need to set some flags or variables,
> understood
>
> Could you please provide some simple syntax for doing so? Checking rcpt_to
> against a list of users and adding a flag at SMTP time and checking this
> flag at DATA (or later) time and modifying the headers? Or just point me
to
> some papers which deal with this thing specifically (I found few but maybe
> you know more readable ones)
>
> Can I perhaps use this new variable even in the rewrite part?
>
> Thank you either way
>

'Later' is the operative word.

Routers are the first 'as shipped' place that Exim processes traffic in
a 'fully' recipient-unique manner. smtp protocol doesn't support it any
earlier (unless you have courier-mta at BOTH ENDS of session, but that
is not Exim relevant).

As per-recipient information is already available in another header, you
can add a single 'flag' header OR acl_m variable value that *when
combined* with the recipient identity (AND ALSO perhaps another
lookup...) provides the unique trigger you seek.

You can use a complex conditional/lookup in a single router, ELSE a
longish chain of single-purpose routers that trigger only when their
simpler condition is met.

But I say again - the specific end result you seek (still not explained
to us) has probably already been done, and more than once, and in more
than one way.

We can't get very far in pointing you to a fitting example if all you
give us is a 'hint' at how you want to set up the first step...

What do you need to accomplish as an END result?

Bill

>
> Searcher wrote:
>> Hi there,
>>
>> how would I go about an ACL SMTP time header rewrite?
>> I need to check RCPT TO, that's not in the headers so can't use regular
>> rewrite/31_exim4-config_rewriting
>>
>> Thanks
>> -src-
>>
>>
>
> At RCPT TO you don't yet have any headers....
>
> Prior to DATA, all an smtp session has is a 'negotiation' situation.
>
> Your MTA and the distant sender are introducing themselves, exchanging
> credentials, describing what is available and what is wanted (connect,
> helo, mail_from, rcpt_to).
>
> Ever see two dogs meeting for the first time?
>
> Much the same.
>
> You can *prepare* headers to be substituted or appended later, and can
> set flags to cause whatever you have prepped to be actioned. Or NOT.
>
> But DATA is the earliest you are transferred the message and its headers
> and attachments (if any).
>
> That said, a flag, value, or string carried in an acl_m variable might
> serve you better than header alteration.
>
> Bill
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

May 15, 2008, 10:39 AM

Post #7 of 14 (1204 views)
Permalink

Re: ACL rewrite [In reply to]

Searcher wrote:
> I was 'hinting' because I already asked once quite specifically but there
> were no takers for the question so I figured I'd ask something easier and go
> from there..
>
> 1. I have a list of clients
> 2. When an email arrives for a client from this list the $h_To gets
> rewritten to use a different domain
> 3. When an email arrives with multiple recipients where few are from the
> list and others are not I want to rewrite the same header only for the
> existing clients and leave it intact for others (obviously)

That is still the 'process' you think you want, not the end result you seek.

I suspect you can do that with a single rewrite rule, exit on lookup
fail, and no need at all to throttle recipients to one-at-a-time.

But I still don't see where you are trying to go with it.

==

Shall we presume that the environment is:

- all recipients to be handled are your clients

- all affected deliveries are 'local'.

- there is no significant forwarding, aliasing, or relaying 'off box'

And the goal is:

- 'some of' the final recipients are candidates for a stupidity test, so
they are to 'see' mail addressed in one way to appear to have been
addressed in some other way. Even though they could tell this was a lie
by merely setting their MUA to display full headers or clicking 'view
message source', you are certain they will never do that.

- the remaining final recipients don't even run Windows, so there is no
fun in trying to confuse them. They'll either catch you out or ignore
you, but won't make a fuss either way. No fun at all.

Note: This is a 'cosmetic' exercise, not a routing plan.

(You are aware that the 'To:' header is not what an MTA ordinarily uses
for routing decisions?)

*snip*

(gory details)

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

searcher at dracon

May 15, 2008, 11:43 AM

Post #8 of 14 (1203 views)
Permalink

Re: ACL rewrite [In reply to]

> - all recipients to be handled are your clients
Yes they are
> - all affected deliveries are 'local'.
None of the deliveries are local, this is just a forwarder of emails to be
modified or to be left untouched - the only purpose of this instance of exim
is to sort emails 2 ways
> - there is no significant forwarding, aliasing, or relaying 'off box'
There is

Ok, lemme try a bit differently then

0. this is not a single server setup, there are few other layers of hubs and
servers to it
1. all recipients and senders on this exim are my clients
2. some of them are registered some of them are on trial so the aim is to
differentiate the level of service
3a. the emails are being sent to recipient [at] our and
they get rewritten into recipients [at] our
3b. this is quite irrelevant for my aim, just trying to shed some light on
the setup, recipient [at] our is generated on one of the
hubs which decides whether the email is to be sent to special.domain or just
to our.domain

if you can forget the relevance of the above, aim is the following
4a. the sender for registered users is being rewritten from
sender [at] domain to sender [at] registered-domain (Ffrsq rule so it's not
only the TO header), so when the recipient of the email replies he sends the
email to the registered-domain.com - and other boxes on the way will see the
change too
4b. the sender for trial users stays intact (or as the logic suggests it
could be sender [at] trial-domain)

> I suspect you can do that with a single rewrite rule, exit on lookup
> fail, and no need at all to throttle recipients to one-at-a-time.
That's exactly what I have in place right now and it's fine and works as
required. When there is a single recipient. But when there is a mixed list
of registered and trial recipients there is no way of rewriting the domain
of the sender, that's why I need to get a single recipient at a time. The
enterprise is not about confusing or fooling users but for separating them
visibly and dumb-proof-ably (not really a word, is it ;)

Using your pointers I already managed to get the correct rcpt_to and can set
a acl_m10 variable to true or false using a client list lookup and the only
thing left is to forward this value into the rewrite module so I can just
simply rewrite the sender of the email using this flag.

How?

Thanks

-----Original Message-----
From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
Behalf Of W B Hacker
Sent: Thursday, May 15, 2008 18:40
To: exim users
Subject: Re: [exim] ACL rewrite

Searcher wrote:
> I was 'hinting' because I already asked once quite specifically but there
> were no takers for the question so I figured I'd ask something easier and
go
> from there..
>
> 1. I have a list of clients
> 2. When an email arrives for a client from this list the $h_To gets
> rewritten to use a different domain
> 3. When an email arrives with multiple recipients where few are from the
> list and others are not I want to rewrite the same header only for the
> existing clients and leave it intact for others (obviously)

That is still the 'process' you think you want, not the end result you seek.

I suspect you can do that with a single rewrite rule, exit on lookup
fail, and no need at all to throttle recipients to one-at-a-time.

But I still don't see where you are trying to go with it.

==

Shall we presume that the environment is:

- all recipients to be handled are your clients

- all affected deliveries are 'local'.

- there is no significant forwarding, aliasing, or relaying 'off box'

And the goal is:

- 'some of' the final recipients are candidates for a stupidity test, so
they are to 'see' mail addressed in one way to appear to have been
addressed in some other way. Even though they could tell this was a lie
by merely setting their MUA to display full headers or clicking 'view
message source', you are certain they will never do that.

- the remaining final recipients don't even run Windows, so there is no
fun in trying to confuse them. They'll either catch you out or ignore
you, but won't make a fuss either way. No fun at all.

Note: This is a 'cosmetic' exercise, not a routing plan.

(You are aware that the 'To:' header is not what an MTA ordinarily uses
for routing decisions?)

*snip*

(gory details)

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Attachments:

PGP.sig (0.19 KB)

searcher at dracon

May 15, 2008, 11:44 AM

Post #9 of 14 (1201 views)
Permalink

Re: ACL rewrite [In reply to]

Attachments:

PGP.sig (0.19 KB)

wbh at conducive

May 15, 2008, 12:45 PM

Post #10 of 14 (1214 views)
Permalink

Re: ACL rewrite [In reply to]

Searcher wrote:
>> - all recipients to be handled are your clients
> Yes they are
>> - all affected deliveries are 'local'.
> None of the deliveries are local, this is just a forwarder of emails to be
> modified or to be left untouched - the only purpose of this instance of exim
> is to sort emails 2 ways
*snip*

- Dump all the acl stuff and single-recipient limit stuff.

- pick up the 'default' system_aliases router:

====

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = mailnull
group = mail
file_transport = address_file
pipe_transport = address_pipe

=====

rename it from "system_aliases:" to, for example "probationary:"

Change the path and filename {/etc/aliases} in

" data = ${lookup{$local_part}lsearch{/etc/aliases}}"

to some other /path/filename that Exim's 'group' can read, and that your
appointed admin (person or script or web interface) can write to.

Example ownership: specialadmin:mail

Use a script, web interface, SQL DB trigger, or POT editor to put
those-who-are-to-be re-written into that new file and take them out later.

Use the conventional alias file format:

recipient[1]@our.domain.special.domain: recipient[1]@our.domain
.
.
.
.

recipient[n]@our.domain.special.domain: recipient[n]@our.domain

Delete them or comment them out when they are off probation.

No need to restart Exim.

No need to do a 'newaliases' or such - Exim will read the specified file
directly, not a db/cdb of it.

Place this ahead of whatever router handles those who are no longer to
be re-written - e.g. 'normal' folks.

AFAIK, that relieves you of the need to re-write headers manually at all.

KISS. You *could* just use the stock router and /etc/aliases file,
though on ownership/perms and location grounds alone, I'd suggest not
mixing them.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

searcher at dracon

May 17, 2008, 7:48 PM

Post #11 of 14 (1161 views)
Permalink

Re: ACL rewrite [In reply to]

I tried to use your last suggestion but to no avail
If I understand it correctly though, it does not rewrite anything but sends
the email to the *new* recipient?

I tried couple (zillion) of other things with my previous settings and
suddenly realized that the config file number is actually a sequential order
how the files are being loaded (dummy) and managed to get it working by a
quite simple, eh:
> 30_exim4-config_check_rcpt
set acl_m7 =
${lookup{$local_part@$domain}lsearch{/etc/exim4/sc_clients}{$value}{}}
> 31_exim4-config_rewriting
*@* $local_part@$acl_m7 Ffrsq

Where /etc/exim4/sc_clients uses the alias format
recipient [at] domain: new_sender_domain

And this does exactly what I was after: if the recipient is in the alias
file it rewrites the sender, if the recipient is not in the list nothing
happens.

Thank you for all your help Bill
But if you still think I'm doing it wrong and have the patience to explain
it - I'm all yours

Thanks
-src-

-----Original Message-----
From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
Behalf Of W B Hacker
Sent: Thursday, May 15, 2008 20:45
To: exim users
Subject: Re: [exim] ACL rewrite

Searcher wrote:
>> - all recipients to be handled are your clients
> Yes they are
>> - all affected deliveries are 'local'.
> None of the deliveries are local, this is just a forwarder of emails to be
> modified or to be left untouched - the only purpose of this instance of
exim
> is to sort emails 2 ways
*snip*

- Dump all the acl stuff and single-recipient limit stuff.

- pick up the 'default' system_aliases router:

====

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = mailnull
group = mail
file_transport = address_file
pipe_transport = address_pipe

=====

rename it from "system_aliases:" to, for example "probationary:"

Change the path and filename {/etc/aliases} in

" data = ${lookup{$local_part}lsearch{/etc/aliases}}"

to some other /path/filename that Exim's 'group' can read, and that your
appointed admin (person or script or web interface) can write to.

Example ownership: specialadmin:mail

Use a script, web interface, SQL DB trigger, or POT editor to put
those-who-are-to-be re-written into that new file and take them out later.

Use the conventional alias file format:

recipient[1]@our.domain.special.domain: recipient[1]@our.domain
.
.
.
.

recipient[n]@our.domain.special.domain: recipient[n]@our.domain

Delete them or comment them out when they are off probation.

No need to restart Exim.

No need to do a 'newaliases' or such - Exim will read the specified file
directly, not a db/cdb of it.

Place this ahead of whatever router handles those who are no longer to
be re-written - e.g. 'normal' folks.

AFAIK, that relieves you of the need to re-write headers manually at all.

KISS. You *could* just use the stock router and /etc/aliases file,
though on ownership/perms and location grounds alone, I'd suggest not
mixing them.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Attachments:

PGP.sig (0.19 KB)

wbh at conducive

May 17, 2008, 8:26 PM

Post #12 of 14 (1160 views)
Permalink

Re: ACL rewrite [In reply to]

Searcher wrote:
> I tried to use your last suggestion but to no avail
> If I understand it correctly though, it does not rewrite anything but sends
> the email to the *new* recipient?

Yes - your post *seemed* to indicate that you have both the:

<subset_list>@our.domain.special.domain

- active on 'a' server, as well as the:

<entire_list>@our.domain

AND that you are already munging the 'From: / Reply To:' to intercept
the traffic for 'probationers'.

So why bother with the extra manual rewrite when straightforward
aliasing can serve?

Given that I can't fathom even *why* you are doing all this, I'll take
as given that you may not be doing things quite that way.

Just because you have found a hammer doesn't mean you cannot use it for
a walking-stick instead of driving nails. One can get used to the
leg-cramps.

;-)

>
> I tried couple (zillion) of other things with my previous settings and
> suddenly realized that the config file number is actually a sequential order
> how the files are being loaded (dummy) and managed to get it working by a
> quite simple, eh:
>> 30_exim4-config_check_rcpt
> set acl_m7 =
> ${lookup{$local_part@$domain}lsearch{/etc/exim4/sc_clients}{$value}{}}
>> 31_exim4-config_rewriting
> *@* $local_part@$acl_m7 Ffrsq
>
> Where /etc/exim4/sc_clients uses the alias format
> recipient [at] domain: new_sender_domain
>

Over my head. That is all Debian/Exim-specific stuff.

The regular Exim install has only one configure file, and, yes, various
'functional' parts of it need to remain in expected order.

Likewise sequence within each part very much matters.

> And this does exactly what I was after: if the recipient is in the alias
> file it rewrites the sender, if the recipient is not in the list nothing
> happens.
>
> Thank you for all your help Bill
> But if you still think I'm doing it wrong and have the patience to explain
> it - I'm all yours
>
> Thanks
> -src-
>
>

I haven't a clue if it is right or wrong. I don't see what you believe
you are gaining.

If the goal is to temporarily monitor new accounts, or to place
different quotas or other restrictions on them while awaiting approval,
or throttle based on 'class' (or fees) .. or whatever... I don't see any
of those goals served by munging addresses.

*Most especially* not the <domain>.<tld> side!

You either have control of account [at] domain and their settings, or NOT.

Bill

> -----Original Message-----
> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
> Behalf Of W B Hacker
> Sent: Thursday, May 15, 2008 20:45
> To: exim users
> Subject: Re: [exim] ACL rewrite
>
> Searcher wrote:
>>> - all recipients to be handled are your clients
>> Yes they are
>>> - all affected deliveries are 'local'.
>> None of the deliveries are local, this is just a forwarder of emails to be
>> modified or to be left untouched - the only purpose of this instance of
> exim
>> is to sort emails 2 ways
> *snip*
>
> - Dump all the acl stuff and single-recipient limit stuff.
>
> - pick up the 'default' system_aliases router:
>
> ====
>
> system_aliases:
> driver = redirect
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> user = mailnull
> group = mail
> file_transport = address_file
> pipe_transport = address_pipe
>
> =====
>
> rename it from "system_aliases:" to, for example "probationary:"
>
> Change the path and filename {/etc/aliases} in
>
> " data = ${lookup{$local_part}lsearch{/etc/aliases}}"
>
> to some other /path/filename that Exim's 'group' can read, and that your
> appointed admin (person or script or web interface) can write to.
>
> Example ownership: specialadmin:mail
>
> Use a script, web interface, SQL DB trigger, or POT editor to put
> those-who-are-to-be re-written into that new file and take them out later.
>
> Use the conventional alias file format:
>
> recipient[1]@our.domain.special.domain: recipient[1]@our.domain
> .
> .
> .
> .
>
> recipient[n]@our.domain.special.domain: recipient[n]@our.domain
>
> Delete them or comment them out when they are off probation.
>
> No need to restart Exim.
>
> No need to do a 'newaliases' or such - Exim will read the specified file
> directly, not a db/cdb of it.
>
> Place this ahead of whatever router handles those who are no longer to
> be re-written - e.g. 'normal' folks.
>
> AFAIK, that relieves you of the need to re-write headers manually at all.
>
> KISS. You *could* just use the stock router and /etc/aliases file,
> though on ownership/perms and location grounds alone, I'd suggest not
> mixing them.
>
> HTH,
>
> Bill
>
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

searcher at dracon

May 18, 2008, 3:43 AM

Post #13 of 14 (1153 views)
Permalink

Re: ACL rewrite [In reply to]

Erm

I can't really explain the entire network, coz it would be a security
breach, but erm

- this exim is just a relay for few domains only
- purpose of this exim is to have all participating users reply to the
correct email address and not the sender directly - so the email can be
processed on our servers (whatever processed means in this case)

Nothing else, no spam checking, no antivirus, forget even the
subset_list [at] our rewrite as it's not relevant since
it's not a list but *@*.special.domain to $1@$2.

hammer? yes/no? ;)

-----Original Message-----
From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
Behalf Of W B Hacker
Sent: Sunday, May 18, 2008 04:27
To: exim users
Subject: Re: [exim] ACL rewrite

Searcher wrote:
> I tried to use your last suggestion but to no avail
> If I understand it correctly though, it does not rewrite anything but
sends
> the email to the *new* recipient?

Yes - your post *seemed* to indicate that you have both the:

<subset_list>@our.domain.special.domain

- active on 'a' server, as well as the:

<entire_list>@our.domain

AND that you are already munging the 'From: / Reply To:' to intercept
the traffic for 'probationers'.

So why bother with the extra manual rewrite when straightforward
aliasing can serve?

Given that I can't fathom even *why* you are doing all this, I'll take
as given that you may not be doing things quite that way.

Just because you have found a hammer doesn't mean you cannot use it for
a walking-stick instead of driving nails. One can get used to the
leg-cramps.

;-)

>
> I tried couple (zillion) of other things with my previous settings and
> suddenly realized that the config file number is actually a sequential
order
> how the files are being loaded (dummy) and managed to get it working by a
> quite simple, eh:
>> 30_exim4-config_check_rcpt
> set acl_m7 =
> ${lookup{$local_part@$domain}lsearch{/etc/exim4/sc_clients}{$value}{}}
>> 31_exim4-config_rewriting
> *@* $local_part@$acl_m7 Ffrsq
>
> Where /etc/exim4/sc_clients uses the alias format
> recipient [at] domain: new_sender_domain
>

Over my head. That is all Debian/Exim-specific stuff.

The regular Exim install has only one configure file, and, yes, various
'functional' parts of it need to remain in expected order.

Likewise sequence within each part very much matters.

> And this does exactly what I was after: if the recipient is in the alias
> file it rewrites the sender, if the recipient is not in the list nothing
> happens.
>
> Thank you for all your help Bill
> But if you still think I'm doing it wrong and have the patience to explain
> it - I'm all yours
>
> Thanks
> -src-
>
>

I haven't a clue if it is right or wrong. I don't see what you believe
you are gaining.

If the goal is to temporarily monitor new accounts, or to place
different quotas or other restrictions on them while awaiting approval,
or throttle based on 'class' (or fees) .. or whatever... I don't see any
of those goals served by munging addresses.

*Most especially* not the <domain>.<tld> side!

You either have control of account [at] domain and their settings, or NOT.

Bill

> -----Original Message-----
> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
> Behalf Of W B Hacker
> Sent: Thursday, May 15, 2008 20:45
> To: exim users
> Subject: Re: [exim] ACL rewrite
>
> Searcher wrote:
>>> - all recipients to be handled are your clients
>> Yes they are
>>> - all affected deliveries are 'local'.
>> None of the deliveries are local, this is just a forwarder of emails to
be
>> modified or to be left untouched - the only purpose of this instance of
> exim
>> is to sort emails 2 ways
> *snip*
>
> - Dump all the acl stuff and single-recipient limit stuff.
>
> - pick up the 'default' system_aliases router:
>
> ====
>
> system_aliases:
> driver = redirect
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> user = mailnull
> group = mail
> file_transport = address_file
> pipe_transport = address_pipe
>
> =====
>
> rename it from "system_aliases:" to, for example "probationary:"
>
> Change the path and filename {/etc/aliases} in
>
> " data = ${lookup{$local_part}lsearch{/etc/aliases}}"
>
> to some other /path/filename that Exim's 'group' can read, and that your
> appointed admin (person or script or web interface) can write to.
>
> Example ownership: specialadmin:mail
>
> Use a script, web interface, SQL DB trigger, or POT editor to put
> those-who-are-to-be re-written into that new file and take them out later.
>
> Use the conventional alias file format:
>
> recipient[1]@our.domain.special.domain: recipient[1]@our.domain
> .
> .
> .
> .
>
> recipient[n]@our.domain.special.domain: recipient[n]@our.domain
>
> Delete them or comment them out when they are off probation.
>
> No need to restart Exim.
>
> No need to do a 'newaliases' or such - Exim will read the specified file
> directly, not a db/cdb of it.
>
> Place this ahead of whatever router handles those who are no longer to
> be re-written - e.g. 'normal' folks.
>
> AFAIK, that relieves you of the need to re-write headers manually at all.
>
> KISS. You *could* just use the stock router and /etc/aliases file,
> though on ownership/perms and location grounds alone, I'd suggest not
> mixing them.
>
> HTH,
>
> Bill
>
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

May 18, 2008, 4:21 AM

Post #14 of 14 (1132 views)
Permalink

Re: ACL rewrite [In reply to]

Searcher wrote:
> Erm
>
> I can't really explain the entire network, coz it would be a security
> breach, but erm
>
> - this exim is just a relay for few domains only
> - purpose of this exim is to have all participating users reply to the
> correct email address and not the sender directly - so the email can be
> processed on our servers (whatever processed means in this case)
>
> Nothing else, no spam checking, no antivirus, forget even the
> subset_list [at] our rewrite as it's not relevant since
> it's not a list but *@*.special.domain to $1@$2.
>
> hammer? yes/no? ;)

Yah - I grokked all that .... but still can't figure out why you'd want
to munge the addresses... given that Exim does whatever you tell it to
do with traffic and is not overly picky about HOW you tell it.

IF you are attempting to *conceal* the man-in-the-middle behaviour
you've described, there are better ways to do that. (Though not
necesarily any more - or less - 'legal').

But that's between you, your paymaster, and your local/national government.

Not my call.

Bill

>
>
> -----Original Message-----
> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
> Behalf Of W B Hacker
> Sent: Sunday, May 18, 2008 04:27
> To: exim users
> Subject: Re: [exim] ACL rewrite
>
> Searcher wrote:
>> I tried to use your last suggestion but to no avail
>> If I understand it correctly though, it does not rewrite anything but
> sends
>> the email to the *new* recipient?
>
> Yes - your post *seemed* to indicate that you have both the:
>
> <subset_list>@our.domain.special.domain
>
> - active on 'a' server, as well as the:
>
> <entire_list>@our.domain
>
> AND that you are already munging the 'From: / Reply To:' to intercept
> the traffic for 'probationers'.
>
> So why bother with the extra manual rewrite when straightforward
> aliasing can serve?
>
> Given that I can't fathom even *why* you are doing all this, I'll take
> as given that you may not be doing things quite that way.
>
> Just because you have found a hammer doesn't mean you cannot use it for
> a walking-stick instead of driving nails. One can get used to the
> leg-cramps.
>
> ;-)
>
>
>
>> I tried couple (zillion) of other things with my previous settings and
>> suddenly realized that the config file number is actually a sequential
> order
>> how the files are being loaded (dummy) and managed to get it working by a
>> quite simple, eh:
>>> 30_exim4-config_check_rcpt
>> set acl_m7 =
>> ${lookup{$local_part@$domain}lsearch{/etc/exim4/sc_clients}{$value}{}}
>>> 31_exim4-config_rewriting
>> *@* $local_part@$acl_m7 Ffrsq
>>
>> Where /etc/exim4/sc_clients uses the alias format
>> recipient [at] domain: new_sender_domain
>>
>
> Over my head. That is all Debian/Exim-specific stuff.
>
> The regular Exim install has only one configure file, and, yes, various
> 'functional' parts of it need to remain in expected order.
>
> Likewise sequence within each part very much matters.
>
>> And this does exactly what I was after: if the recipient is in the alias
>> file it rewrites the sender, if the recipient is not in the list nothing
>> happens.
>>
>> Thank you for all your help Bill
>> But if you still think I'm doing it wrong and have the patience to explain
>> it - I'm all yours
>>
>> Thanks
>> -src-
>>
>>
>
> I haven't a clue if it is right or wrong. I don't see what you believe
> you are gaining.
>
> If the goal is to temporarily monitor new accounts, or to place
> different quotas or other restrictions on them while awaiting approval,
> or throttle based on 'class' (or fees) .. or whatever... I don't see any
> of those goals served by munging addresses.
>
> *Most especially* not the <domain>.<tld> side!
>
> You either have control of account [at] domain and their settings, or NOT.
>
> Bill
>
>
>
>> -----Original Message-----
>> From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim] On
>> Behalf Of W B Hacker
>> Sent: Thursday, May 15, 2008 20:45
>> To: exim users
>> Subject: Re: [exim] ACL rewrite
>>
>> Searcher wrote:
>>>> - all recipients to be handled are your clients
>>> Yes they are
>>>> - all affected deliveries are 'local'.
>>> None of the deliveries are local, this is just a forwarder of emails to
> be
>>> modified or to be left untouched - the only purpose of this instance of
>> exim
>>> is to sort emails 2 ways
>> *snip*
>>
>> - Dump all the acl stuff and single-recipient limit stuff.
>>
>> - pick up the 'default' system_aliases router:
>>
>> ====
>>
>> system_aliases:
>> driver = redirect
>> allow_fail
>> allow_defer
>> data = ${lookup{$local_part}lsearch{/etc/aliases}}
>> user = mailnull
>> group = mail
>> file_transport = address_file
>> pipe_transport = address_pipe
>>
>> =====
>>
>> rename it from "system_aliases:" to, for example "probationary:"
>>
>> Change the path and filename {/etc/aliases} in
>>
>> " data = ${lookup{$local_part}lsearch{/etc/aliases}}"
>>
>> to some other /path/filename that Exim's 'group' can read, and that your
>> appointed admin (person or script or web interface) can write to.
>>
>> Example ownership: specialadmin:mail
>>
>> Use a script, web interface, SQL DB trigger, or POT editor to put
>> those-who-are-to-be re-written into that new file and take them out later.
>>
>> Use the conventional alias file format:
>>
>> recipient[1]@our.domain.special.domain: recipient[1]@our.domain
>> .
>> .
>> .
>> .
>>
>> recipient[n]@our.domain.special.domain: recipient[n]@our.domain
>>
>> Delete them or comment them out when they are off probation.
>>
>> No need to restart Exim.
>>
>> No need to do a 'newaliases' or such - Exim will read the specified file
>> directly, not a db/cdb of it.
>>
>> Place this ahead of whatever router handles those who are no longer to
>> be re-written - e.g. 'normal' folks.
>>
>> AFAIK, that relieves you of the need to re-write headers manually at all.
>>
>> KISS. You *could* just use the stock router and /etc/aliases file,
>> though on ownership/perms and location grounds alone, I'd suggest not
>> mixing them.
>>
>> HTH,
>>
>> Bill
>>
>>
>>
>
>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads