We did some tests on our Exim 3.03 just now, and either we misunderstand
something, or something is wrong. We don't have collapse_source_routing set;
unix.lancs.ac.uk is a local machine not listed in local_domains
From an off-site machine that's not allowed to relay, we do
mail from: <evil@???>
250 <evil@???> is syntactically correct
rcpt to: <user%unix.lancs.ac.uk@???>
550 relaying to <user%unix.lancs.ac.uk@???> prohibited by
administrator
Which is correct; Exim would send to hotmail.com, which is a relay
rcpt to: <@unix.lancs.ac.uk:user@???>
550 relaying to <@unix.lancs.ac.uk:user@???> prohibited by
administrator
Which is correct; Exim would send to unix.lancs.ac.uk, asking it to relay to
hotmail.com
rcpt to: <user%hotmail.com@???>
250 <user%hotmail.com@???> verified
Which isn't what we expected - Exim is passing through a message which will be
seen by the next destination as a relay request. If the downstream machine
implements percent hack routing, aren't the two cases above equivalent?
Now _if_ the next destination is properly set up, the final relay attempt will
fail (but we'll generate an NDR - also not desirable); but here we have a
number of machines downstream where for political reasons, owners being
incompetent and so on, we cannot make them secure - we had previously used
blocking software to protect these machines centrally.
So are we wrong in expecting that Exim can/will/should do this protection of
downstream systems? We're going to hit a lot of political flak if it can't....
Alan
