著者: Oliver Egginger 日付: To: ice, djc, ph10 CC: exim-users 題目: Re: [Exim] only accept local users (for seval networks)
This is from wednesday. (Sorry I'am late.)
Thank you for your comments.
(Complete list on the end of this message)
your response (extract):
Tamas TEVESZ wrote: > could you explain this in a little more depth ? as is, this doesn't
> make much sense to me.
Dave C. <> wrote: > How do you intend to determine wether a user is local or not?
Philip Hazel <> wrote: > If by "sender" you mean "envelope sender" you have two problems:
>
> 1. Senders are trivially forged.
>
> 2. You are required always to accept the sender "<>" because that's what
> bounce messages have.
>
> Basically, trying to control input by envelope sender is a bad idea.
> That's why AUTH was invented.
It's a little bit difficult to explain, please see describtion.
---------------------------------------------------------------------
### Description ###
---------------------------------------------------------------------
I'am talking about the "envelope sender" field.
At first I have to say that I'am only talking about a local mailserver for
a few thousand users. We are a technical college and get all our
e-mail through a big university mailsystem over the same IP-address,
(and a separat connexion).
The university mailsystem does the smtp-auth.
We are only accept smtp connection from the university and from our local networks.
The university is our smart host too.
If a user send mail from our local networks she or he don't have to authenticate herself.
If a user want send mail from the outside, she have to use the university mailout,
and must authenticate herself.
(Or she uses our radius-server then she have to authenticate herself against him.)
Some users have malformed (envelope)-sender addresses.
(Mostly typing errors.)
1. If something goes wrong these messages can't send back to the sender.
2. They arn't passed back to our mailserver, so I never hear from it.
Bad thing: the user never here from it too, maybe working for a long time with a bad
sender address (unintentional).
Also there are serval other problems with malformed or non local sender adresses and the
university.
I'am thinking the qualification of the university are passable. I only have to set up our MTA right.
Exims "sender_verify" quality helps a lot.
Only external sender addresses are still a problem.
If it would be possible to define a rule, that all external adresses faile at verification time, this would be the
solution. At first I was thinking about a director which only runs at verification time, but thats balderdash,
cause it don't will be called for a non local address.
Maybe it would be possible in Exim 4 when routers and directors grow together. I don't know.
