Re: [Exim] controlling inbound and outbound email

Top Page
Delete this message
Reply to this message
Author: Dmitry G. Golub
Date:  
To: exim-users
CC: Piergiorgio Spagnolatti
Subject: Re: [Exim] controlling inbound and outbound email
Dear colleguas,
Dear Piergiorgio,

In message <39FFDCE5.4BB32E5B@???>, Piergiorgio Spagnolatti writes:
>
 >     I'm new to the list, and in fact I never used exim before. This is my
 > problem: I need to set up my mta in a fashion that allows me to:

>
> - act normally with internal mail. I mean that all mail coming from
> mydomain.com and going to mydomain.com goes straight without further
> inspection.
> - Although, only some users should have access to internet mail, so I
> want to allow only certain users to send and receive mail to/from the
> internet (e.g. to/from domains different from mydomain.com), and also
> want to block mail from/to users not allowed.
>
> I think that this is done with the system filter (or whatever you call
> it), in a way that I can have a file with the list of my
> "internet-enabled" aliases, and make exim lookup this file for valid
> addresses.
>
> So, this would be the rules:
>
 > foobar@??? -> barfoo@???        ALLOW
 > customer@??? -> foobar@???        CHECK in allowed.aliases
 > foobar@???  -> customer@???        CHECK in allowed.aliases

>
> If CHECK failes, reject the message with some SMTP Error code.
>


IMHO, your setup is not trivial. My setup is like yours, except:

- ALL my users can receive mail from Internet but only some can
send this kind of mail.

- ALL mail are saved in the archieve directory

Here are some lines from my configuration files:

----8<---- configure begin ----8<----
#
# MACROS SECTION
#
MY_PRIMARY_FQDN = mserv.perm.cbr.ru
CONFIG_DIR = /usr/local/etc/exim
...................
# --- RELAYING CONTROL ---
# The domains for which relaying permitted from any host
# If `relay_domains' is set, no hosts are permitted to relay to
# arbitrary domains.

relay_domains= " gucb.perm.su :\
                 perm.cbr.ru :\
                 *.gucb.perm.su :\
                 *.perm.cbr.ru "


# The setting below locks out the use of your host as a mail relay by
# any other host. If you want to permit relaying through your host
# from certain hosts or IP networks, you need to vary this option
# and/or make use of the other three options in the set
# sender_{host,net}_{accept,reject}_relay. See the section of the
# manual entitled "Control of relaying" for more info.

host_accept_relay = dbm;CONFIG_DIR/Hosts_Permitted_to_Relay
.....................
#
# Sender/From verification against DB of allowed users
# ("white list")
#
sender_address_relay = "dbm;CONFIG_DIR/InternetUsersDB"

# --- END OF RELAYING CONTROL ---
......................
# ============================================================
#              Global Message filtering setup
# ------------------------------------------------------------
message_filter = CONFIG_DIR/global_msg_filter.flt
message_filter_directory_transport = "address_directory"
message_filter_file_transport = "address_file"
message_filter_group = "mail"
message_filter_user = "exim"
----8<---- configure end ----8<----


Any host not listed in "Hosts_Permitted_to_Relay" and, from listed hosts,
any sender not in "InternetUsersDB" witt receive error 550 when trying to
relay a message to Internet.

----8<---- global_msg_filter.flt begin ----8<----
# Exim filter
if error_message
  then
    finish
  else
    # Save the letter first
    if first_delivery
      then
        testprint "Saving copy of message..."
        unseen save "/var/CopiedMail/${substr_2_1:$message_id}/${substr_3_1:$message_id}/$message_id"
    endif
endif
# END OF FILTER
----8<---- global_msg_filter.flt end ----8<----
Any message going throw server will be saved in two-level directory
tree. Removing of old messages implemented with GNU CFengine.


----8<---- Hosts_Permitted_to_Relay.txt begin ----8<----
examplehost1.perm.cbr.ru:
examplehost2.perm.cbr.ru:
examplehost3.perm.cbr.ru:
examplehost4.perm.cbr.ru:
examplehost5.perm.cbr.ru:
----8<---- Hosts_Permitted_to_Relay.txt end ----8<----
This is a source for DBM file.

----8<---- InternetUsersDB.txt begin ----8<----
exampleuser1@???:
exampleuser2@???:
exampleuser3@???:
----8<---- InternetUsersDB.txt end ----8<----

----8<---- Screen output begin ----8<----
exim@mailhub% cd /var/CopiedMail/
exim@mailhub% ls -lR X/K/
X/K/:
total 3944
-rw-------   1 exim     mail        3480 Sep  8 15:06 13XK74-0001e0-00
-rw-------   1 exim     mail        1594 Sep  8 15:07 13XK8P-0001eE-00
-rw-------   1 exim     mail        1594 Sep  8 15:07 13XK8Q-0001eH-00
-rw-------   1 exim     mail        1636 Sep  8 15:10 13XKAr-0001fn-00
-rw-------   1 exim     mail        1689 Sep  8 15:10 13XKAs-0001fo-00
-rw-------   1 exim     mail        1636 Sep  8 15:10 13XKAu-0001fv-00
-rw-------   1 exim     mail        1636 Sep  8 15:10 13XKAv-0001fx-00
....
----8<---- Screen output end ----8<----
This is the files where transferred mail is saved.


You cannot use a system-wide filtering for relaying control because it is not
done until you received a message. But you can receive a message and
conditionally deliver or "fail" it.

att. Piergiorgio,
May be you already received other interesting answers to your question. Can
you forward some or all of it to me? Our setup is far from ideal and I
want to improve it.

Best regards and please excuse me my English, Dmitry 
-- ------------------------------------------------------------------
 Dmitry George Golub                           dgolub@???
 electronic mail system administrator                 +7(3422)917-324
---------------------------------------------------------------------