[Exim] handling multiple local domains and local shell accou…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Marc Haber
Datum:  
To: exim-users
Betreff: [Exim] handling multiple local domains and local shell accounts
Hi,

exim's handling of multiple local domains and local shell accounts is
led by the traditional UNIX approach that they are connected to each
other. If a local host has a.example and b.example as local domains,
and there are shell users alison and bob, it is assumed that all four
addresses alison@???, bob@???, alison@??? and
bob@??? exist.

This assumption still holds for the vast majority of systems that have
both a local MTA and local shell users.

However, it doesn't hold for all systems with these characteristics.

Now take the situation that alison wants to have alison@???, but
is not interested in the spam that might come in for alison@???.
The same for bob, wanting bob@???, but not bob@???. Well,
how do I configure this with exim?

The average exim installation might have the following routers:

domain_literal
dnslookup (domains = ! +local_domains; no_more)
domain_aliases (*)
system_aliases
userforward
procmail
local_user

domain_aliases is a not so standard extension that I have on most of
my systems that allow having different alias files for different
domains:

|domain_aliases:
|  driver                = redirect
|  allow_defer           = yes
|  allow_fail            = yes
|  data                  = ${lookup{$local_part}lsearch{${lookup{$domain}partial-lsearch{DOMAIN_DIR/map}\
|                                   {DOMAIN_DIR/$value}}}}
|  debug_print           = "domain_aliases for $local_part@$domain"
|  domains               = partial-lsearch;DOMAIN_DIR/map
|  retry_use_local_part  = YES


Vadim Vygonets had the idea with the map file back in exim 3 days, and
convert_4r4 transposed it to exim 4 syntax. Probably this can be done
more efficiently nowadays.

The real problem comes in with the userforward, procmail and
local_user router, which don't look at the domain part any more and
fire for all local parts that have an associated local account. This
gets annoying when spam for games@???, list@??? and
squid@??? gets stuck on the queue.

I am currently thinking about a scheme that would only deliver to
local shell accounts if the domain is something like
"localhost.example" (actually poor choice, but rfc2606 doesn't allow a
.local TLD). This way, a.example's domain admin could specify
alison@??? as alias to alison@??? while not
specifying bob@??? would keep mail to that address from being
delivered.

All routers with check_local_user = yes would need to have a domain =
localhost.example added to their definition. Addresses not having
taken care of by the domain_aliases router wouldn't match, fall
through to the end and finally fail.

However, this can be a pain and is error-prone since this modification
has to be done to all routers with check_local_user = yes. To make it
easier, I would like to have a router called "fail_local_domains" that
would cause all addresses with its domain part not equal
localhost.example to fail while letting addresses with domain
localhost.example through to the "real" routers doing the work for
local users.

Here is a possible router to do this:
fail_local_domains:
driver = redirect
domains = ! local.example
allow_fail = yes
data = ":fail: User unknown"
no_more

What do people think? I feel like being way over the top here, but
otherwise doing things like this are necessary. I am still quite new
to exim 4, and have probably not yet grasped the new concepts. Is what
I intend to do possible to do in an easier way? What text of dummy
domain do people recommend for the real local accounts?

Any comments would be appreciated.

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29