Frank DeChellis wrote:
> Hi there,
>
> We run exim 4.67 and we have Barricade MX as our gateway filter. We
> installed the filter and changed our MX record 3 weeks ago. The filter
> works great, but lots of mail is still getting sent directly to our SMTP
> server. I can say, with great certainty, that 100.1% of the email going
> directly to our SMTP is spam. I¹ve been doing
>
> allow_mx_to_ip is not set.
>
> So I want to add a check to see if email bound for domains being filtered
> actually went through the filter. But I don¹t know the magic line.
>
> What I have is:
>
> deny message email bypassed filter --- using old MX record
> domains = +filtered_domains
> hosts = !+relay_from_host
>
> I¹ve tried various ³verify² conditions with no luck. What is the proper
> syntax to check and see if a message sent from user@??? has passed
> through an intermediate filter on the way to your smtp?
>
> If it goes through my filter first, this line is contained in the header:
>
> Received: from gateway.iaw.on.ca ([69.49.32.3]:59940)
> by canal.iaw.on.ca with esmtp (Exim 4.67)
>
> Thanks for any helps you can offer.
>
> Frank
>
>
> Frank DeChellis
> President, Internet Access Worldwide
> Welland, Ontario, Canada
> www.iaw.com
>
>
'check' and 'enforce' are not necessarily the same.
'check' implies a header added by the filter, ELSE looking for the smell of the
filter box in an existing header (Received;...).
'Enforce', OTOH might take fewer CPU cycles:
IF you want ALL incoming to come from the filter, and ONLY from the filter, AND
the filter always connects from the same (group of) IP...
..I'd simply deny connection from any other IP on port 25 by listing the filter
host by its IP(s) in relay_from_hosts and in an acl_smtp_connect clause:
deny
condition = ${if eq{$interface_port}{25}}
!hosts = : +relay_from_hosts
IF you have a mixed situation where some other-than-filtered traffic might be
acceptable on port 25, your might want to apply that rule to, and configure the
filter host to use, port 24 ('any private email system') when it seeks to
deliver to your Exim. Don't forget to tell Exim to listen on that port:
daemon_smtp_ports = 24 : 25 : 587
CAVEAT: This presumes you properly handle submission from your own user
community. EG: AUTH'ed, and TLS encrypted, always on port 587, never on port 25.
Needless to say, if you have a more complex mixture (per-user/per-domain
criteria, etc.) you will need to defer final accept/deny action until you can at
least be given the mail_from - perhaps later yet if you have other other
qualifying criteria.
HTH,
Bill
