Re: [EXIM] Bastion host configuration questions

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Harald Meland
Date:  
À: Brad Mohning
CC: exim-users, sysadm
Sujet: Re: [EXIM] Bastion host configuration questions
[Brad Mohning]

> We were unlucky enough to be chosen as a spam relay site. As such,
> we are switching our bastion host over to exim, but we have run into
> some difficulties. The scenario is as follows:
>
> Inbound internet mail is delivered to the bastion host. The bastion
> host delivers it to our internal mail server, via our firewall
> proxy. Currently when the bastion host receives an inbound message,
> it gets the following error: lowest MX points to local host, message
> frozen. Our only MX record points to the bastion host.


Which probably means Exim

* first checks whether it should deliver the message locally (by
means of some director (eventually) accepting the message, the
director using a local (e.g. appendfile) transport). I believe
this fails.

* finds a router accepting the message for remote delivery. However,
the router apparently looks up the domain of the recipient address
with MX records. Of course Exim could be stupid enogh to just loop
the message through itself one more time (and again, and again,
and...), but luckily it is smarter than that. This is most likely
a configuration error, so Exim freezes the message.

Here's what the transport, director and router parts of my setup for
null clients looks like:

######################################################################
#                      TRANPORTS CONFIGURATION                       #
######################################################################


smtp:
driver = smtp

end

######################################################################
#                      DIRECTORS CONFIGURATION                       #
#             Specifies how local addresses are handled              #
######################################################################


# No messages should be delivered locally on this null client --
# local delivery is the business of the central mail server. Thus we
# need no directors at all.

end

######################################################################
#                      ROUTERS CONFIGURATION                         #
#            Specifies how remote addresses are handled              #
######################################################################


smarthost:
driver = domainlist
transport = smtp
route_list = "* pat.uio.no:mons.uio.no bydns_a"

end

pat.uio.no being our primary mail server, mons.uio.no acting as backup
if pat should be down/too busy.

[ BTW, what is Postman Pat's cat originally called? "Mons" is the
name of it in the norwegian translation... ]

> We would like to continue receiving mail on the bastion host, which
> will relay it to our internal mail server. We also want to stop all
> unauthorized spam relaying.


(Spam) relaying is controlled in the main section. Here's what we do
(comments removed for brevity):

# UiO /16-net, 129.240.x.x, useful macro for relay limitations etc.
UIO_B_NET = 129.240.0.0/16
LOCALHOST_NET = 127.0.0.1/32
UIO_NETS = UIO_B_NET:LOCALHOST_NET

# Domains we relay. It should be safe to relay everything arriving
# for <*@*uio.no> to the central mail server
UIO_DOMAINS = *.uio.no
RELAY_TO_DOMAINS = UIO_DOMAINS

local_domains =
relay_domains = RELAY_TO_DOMAINS
relay_domains_include_local_mx = true
sender_net_accept_relay = UIO_B_NET

The `relay_domains_include_local_mx' is only needed if you are doing
backup MX for someone elses domain(s) and don't care to list them
explicitly. However, it shouldn't harm to have it on even if you
aren't anyone elses MX backup.

[ BTW, is there some buglet in the macro code in Exim 1.92? I tried
defining macros in this order: UIO_NET, UIO_NETS, and whenever I
wanted UIO_NETS it was replaced with the UIO_NET with an "S"
appended. Not to worrry, using the macro names above should reduce
the chances of using the wrong macro, anyway :) ]

> We would like our internal mail server to forward all outbound
> e-mail to our bastion host for final delivery.


Something like this:

# transport config
smtp:
  driver = smtp
end
# director config
end
# router config
smarthost:
  driver = domainlist
  transport = smtp
  route_list = "*.your.domain mailserver.your.domain bydns_a;\
    * $domain bydns"
end


, maybe?

> Has anyone implemented such a scheme in exim? Is it even possible
> to implement such a scheme with relay control?


We haven't got any firewall here, so our central mail server does all
the work with outbound mails, too. Apart from that I believe the
setup for null clients and firewall gateways to be pretty similar.

> Any pointers are greatly appreciated.


The Exim documentation? I find this to be an excellent piece of work,
unlike the documentation for some of the other mailers out there...
--
Harald

--
*** Exim information can be found at http://www.exim.org/ ***