Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Remote smtp recipient local part verification in a router

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


james at digitalciti

Nov 24, 2009, 2:13 PM

Post #1 of 3 (621 views)
Permalink
Remote smtp recipient local part verification in a router
I have a gateway smtp box that acts as the relay for our dev/qa mail
server. We allow mail to our corporate domain to be delivered and
blackhole everything else as shown below. The sending box is
172.16.1.10, the allowed destination is mail.domain.com for purposes of
this email. Unfortunately, we have an auto-provisioning process in our
app that creates users on the fly, and in dev/qa we create BS users
@domain.com (our corporate domain). IMO this is bad practice, we should
be using a unique domain that I could filter off the domain and still
allow our corporate domain through. Unfortunately I cannot change
that. I need to be able to verify the recipient (call out) on
mail.domain.com including the local part. I know I can do this at ACL
time, but I'm trying to keep things as they are and hopefully do this in
the router below. I was hoping verify_recipient was the condition I was
looking for. If true, let it through, if false move on to the next
router. This doesn't seem to work, it allows it through. So my
question is do I continue to try and figure out a router level work
around for this problem, or do I add a call out to acl_check_rcpt (where
I do my recipient verifications for non relayed mail now). I would do
this as a condition to the accept rule for hosts matching the host list
relay_hosts. I'd much rather do this in a router so that I wouldn't
generate a 500 failure, rather I'd just accept the message and blackhole
it in the second router.

corp_router:
driver = manualroute
condition = ${if eq{$sender_host_address}{172.16.1.10}{yes}{no}}
domains = +corp_domains
route_list = $domain mail.domain.com
transport = remote_smtp
verify_recipient

blackhole_router:
driver = redirect
condition = ${if eq{$sender_host_address}{172.16.1.10}{yes}{no}}
data = :blackhole:

Thanks,
James

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Nov 24, 2009, 3:28 PM

Post #2 of 3 (576 views)
Permalink
Re: Remote smtp recipient local part verification in a router [In reply to]
On 2009-11-24 at 16:13 -0600, James Price wrote:
> the router below. I was hoping verify_recipient was the condition I was
> looking for. If true, let it through, if false move on to the next
> router. This doesn't seem to work, it allows it through. So my

SMTP transports by default verify that the destination is theoretically
reachable (DNS exists) but do nothing to speak SMTP.

In your RCPT ACL, you should have a line about "require verify =
recipient". Double-check that all mail to *remote*/external is handled
before that, and use "require verify = recipient/callout".

Do *not* do recipient callouts for mail to outside your domain -- double
SMTP connections for every mail you send out are likely to be frowned
upon. In the default config, the "require verify = recipient" check
comes *after* the "relay not permitted" logic; if you're using something
like the default, you should be safe to just add the "/callout".

-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


james at digitalciti

Nov 24, 2009, 3:49 PM

Post #3 of 3 (577 views)
Permalink
Re: Remote smtp recipient local part verification in a router [In reply to]
Excellent and thank you. This email is all internal anyhow all
external is dropped by the second router in theory. Only going to do
callouts to the domain we allow delivery for.

Thanks,
James

On Nov 24, 2009, at 5:28 PM, Phil Pennock <exim-users [at] spodhuis>
wrote:

> On 2009-11-24 at 16:13 -0600, James Price wrote:
>> the router below. I was hoping verify_recipient was the condition
>> I was
>> looking for. If true, let it through, if false move on to the next
>> router. This doesn't seem to work, it allows it through. So my
>
> SMTP transports by default verify that the destination is
> theoretically
> reachable (DNS exists) but do nothing to speak SMTP.
>
> In your RCPT ACL, you should have a line about "require verify =
> recipient". Double-check that all mail to *remote*/external is
> handled
> before that, and use "require verify = recipient/callout".
>
> Do *not* do recipient callouts for mail to outside your domain --
> double
> SMTP connections for every mail you send out are likely to be frowned
> upon. In the default config, the "require verify = recipient" check
> comes *after* the "relay not permitted" logic; if you're using
> something
> like the default, you should be safe to just add the "/callout".
>
> -Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.