Re: [Exim] how to verify recipient on a mailhub

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Tony Earnshaw
Datum:  
To: exim-users
Betreff: Re: [Exim] how to verify recipient on a mailhub
tor, 17.04.2003 kl. 10.35 skrev Wolfgang.Fuertbauer@???:

> exim receices all mail comming from the internet and after virusscanning,
> ... forwards it to an lotus domino server;


> recently i get *tons* of faked emails (sender claims to be from our domain,
> recipient is combination of chars and numbers in localpart, for example:
> 4edre57887@???)
>
> my question is:
> how can i configure exim to do a recipient verification on the relay host
> for all incomming messages ?


What Exim version?

I do this for 4.14 with 4 ACLs.

/However/:

1: Order is very important;
2: There are masses of ACLs in between thes ACLs that do different
things. Order is /paramount/ for these as well;
3: One has to define local_domains and relay_to_domains first, before
the ACLs;
4: Using the HELO/EHLO verify ACL might make you extremely unpopular
with your sales department, managing director or whoever when your mail
server starts refusing mail from ill-configured customer servers, etc.

Some of this is copied directly from spec.txt, some I made up and
*tested* both with 'exim -d+exact -d' and some in utter exasperation
when mail was refused by my own server and I couldn't fathom out why.

Your best bet is *always* Exim 4's fabulous debug possibilities ;-)

# Enforce the use of a valid HELO/EHLO - is checked against the sender's IP
# Be careful! If the reverse lookup doesn't work on the name, e-mail won't be accepted
deny  message    = "Invalid domain given in HELO/EHLO"
!condition       = ${if or { \
  { and {{match {$sender_helo_name}{$sender_host_name}} \
  {!eq {$sender_helo_name}{$sender_host_address}}} \
   } \
   {match {$sender_address_domain}{billy.demon.nl}} \
   } \
  {yes}{no} \
}


# Deny unless the sender address can be verified.
deny  !verify         = sender


# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept  hosts          = :
accept  domains        = +local_domains
        message        = No such recipient
        verify         = recipient


# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
accept  domains        = +relay_to_domains
        endpass
        message        = No such recipient
        verify         = recipient


Best,

Tony

--

Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:        tonni@???
www:        http://www.billy.demon.nl