Author: James P. Roberts Date: To: Vincent Sweeney, exim-users Subject: Re: [Exim] Backup MX ACL
<snip> > > I think, so long as you write the ACL much like the local_domains-related ACL,
> >(i.e. reject mail to any domain you are not accepting
> > responsibility for as a secondary), you should not have a problem.
> >
> > Jim Roberts
> > Punster Productions, Inc.
>
> Well actually it *would* be in an ACL since the mail will be currently
> accepted by the rule thats says "accept any mail I'm primary or backup
> for" ie @mx_all. I was looking to have more control by having seperate
> ACL's for @mx_primary and @mx_secondary but since it does not look like
> I can lock down the destination host to an ip range I will have to
> continue accepting mail for any domain that puts my server(s) in their
> MX records.
>
> Yes this may not be a serious abuse, DoS or whatever you want to call it
> but it's definetely a "feature" I'd like to disable!
>
> Vince. <snip>
I could be wrong, but if you actually have defined two domain lists, I think the ACLs
have enough flexibility to achieve what you want...
Just thinking "out loud" here, how about an ACL that first checks if a domain is in
@mx_primary. If so, accept the mail; if not, continue. Next, test against
@mx_secondary; if it's in there, accept it; if not, reject and stop.
Again, this all depends on my having understood your needs correctly.
You have complete, 100% control over the definition of your own domain lists
(@mx_secondary). Unless you have some sort of interesting web-based way to sign up
for secondary MX services, which modifies your Exim configuration (perhaps a lookup data file), and triggers Exim to reload its
config, and you left it open to the universe?
I am just stretching to understand what you need. Remember, just because someone
creates an incorrect DNS MX entry, doesn't mean you have to accept email for it. For
one thing, how would you even know they had done so, unless email arrived for such a
domain. If it arrives, but is not on your list of acceptables, reject it.
All MX records do is list servers to try sending emails to, for a particular domain. But if
the listed server isn't actually set up to receive such email, then the MX record is simply
bogus. An MX record cannot over-ride your own MTA setup.
I feel like I am missing some critical piece of the puzzle, and I don't understand what
you actually are trying to do?