[Exim] HOWTO: exiscan and exim 4.14 with per-user/domain sca…

Pàgina inicial
Delete this message
Reply to this message
Autor: Tom Kistner
Data:  
A: exiscanusers, exim-users
Assumpte: [Exim] HOWTO: exiscan and exim 4.14 with per-user/domain scanning options
Here's a pretty good solution for the old dilemma:

"How can I keep the coolness of rejecting stuff after DATA, but have
separate scanning preferences for different recipient domains ?"

Based on an idea from Nico Erfurth and Tore Anderson. Tested (briefly)
by me.


Situation:

You are running a mail server for multiple domains/customers. A message
arriving on your server can have multiple recipients in different
domains. Now, customerA.com wants to do content scanning, but
customerB.com doesn't. You hate frozen bounces and want to reject at
SMTP time.


Solution:

NOTE: This uses the ACL variables in exim 4.14 and does not work with
previous versions. I'll illustrate this with the antispam facility, but
it works the same with other facilities as well.

When the sending server sends his RCPT commands, we look up the first
recipients preference (spam scanning = on/off) and remember it in an ACL
variable. From that point on, we only accept other RCPTs for the same
message that have the same antispam preference. Others are deferred with
a 451 code, causing the remote server to retry them later.

With this scheme, we group recipients into "classes".

The drawback: Mail for some recipient may be delayed a bit, depending on
the retry strategies of the sending hosts.


Heres the recipe:

1) Create a data source that contains the preferences per domain or
address, and a matching lookup macro in exim. For simplicity, we use a
plain text file (/etc/exim/exiscan-antispam) with an lsearch lookup:

The file /etc/exim/exiscan-antispam contains lines like this:

customerA.com:    on
customerB.com:  off
customerC.com:  on


The lookup macro in exims config file:

GET_SPAM_CONDITION = ${lookup {$domain} \
                      lsearch {/etc/exim/exiscan-antispam}{$value}{off}}



2) In acl_check_rcpt, add the following just after the
    "accept  hosts = :" line:


     # set ACL variable for spam scanning class
     warn condition = ${if def:acl_m0 {0}{1}}
          set acl_m0 = GET_SPAM_CONDITION


     # Defer addresses not fitting in our current class
     defer message = Try this address in the next batch, please.
           condition = ${if eq {${acl_m0}}{GET_SPAM_CONDITION}{0}{1}}
           hosts   = !+relay_from_hosts
           !authenticated = *


    The last two lines prevent from running this strategy from
    authenticated senders or allowed relay hosts (usually MUAs, who
    won't be able to cope with this).



3) In the exiscan config block, set

      exiscan_spamd_condition = ${if eq {$acl_m0}{on}{1}{0}}




Done !


--
Tom Kistner <tom@???>
ICQ 1501527 dcanthrax@efnet
http://duncanthrax.net