[Exim] How to bypass last Received: server to apply block li…

Top Page
Delete this message
Reply to this message
Author: Patrick Starrenburg
Date:  
To: exim-users
Subject: [Exim] How to bypass last Received: server to apply block lists to previous server
This is an unusual issue, I won't go into the reasons why we find
ourselves in this situation :-( , but I am trying to see how we can work
around this problem.

Situation is this, we may find ourselves having the corporate mail
*gateway* server for our domains moved to another computer/mail software
nowhere as effective as Exim. We will then have to accept *incoming* mail
from this (brain dead) mail server as a trusted host (it will be inside
corporate network).

Internet          ---> [------------Corporate Network--------------]
Untrusted servers ---> "Trusted" (brain dead) server ---> Our Server
Server "A"        ---> Server "B"                    ---> Server "C"


This server B, just eats whatever is passed it and we will find ourselves
in situation where the garbage is then regurgitated onto us - server C.

We will be able to block attachments, MIME errors etc. with Exiscan and
sending email addresses and domains with our normal ACL's but the issue
will be DNSBL lookups and our own blocklists and other checks which block
by IP address of sending server (server A). We prefer to block at SMTP
communication stage. Because the communicating server will be server B
("trusted"! server) we cannot apply our relay, proxy, dynablock, spam
block lists to it.

During SMTP communication with server B we need to "jump over" the
connecting host (server B) and look at address of host before it, which
will be Internet host (server A) and apply block lists. Then we will
reject communication with server B (based on server A being in block
list) and server B has to deal with problem mail.

Has anyone found themselves in this situation / developed anything to
address this? I don't believe we can address this with ACL's but may have
to look at developing an Exim local scan function which "strips off" the
last Received: header for server B (which will always be the same) and
then does block list lookups etc. on (real) IP of server A.

Any suggestions/comments/solutions :-)

Patrick