Re: [Exim] help with configuration

Góra strony
Delete this message
Reply to this message
Autor: Nico Erfurth
Data:  
Dla: gul
CC: exim-users
Temat: Re: [Exim] help with configuration
Pavel Gulchouck wrote:

>>What do you mean by "with BestMX"?
>
> BestMX also known as primary MX, MX with the best priority.
>
> For example, I have a relay 193.109.240.57 which receive mail
> for many customers' domains, it is primary MX for its. And I
> have a relay2 which is a secondary MX for all that domains.
> How can I configure relay2 for relaying all domains which has
> bestMX to 193.109.240.57 without manually enumetrating its?
>
> If I setup relay-based-on-MX (use @mx_any or @mx_secondary),
> anybody will allow use me as his relay by specifying my router
> as MX in the DNS, and I do not want it.


AFAIK you can't, but I've just got an nice idea ....

Basicly, use the dnsdb-lookup, and add a special TXT record to your
zonefiles, maybe something like this

example.com     TXT SECRET_TEXT


where SECRET_TEXT is the result of

echo -n "YourSecretPassword|example.com" | md5sum

with some lookup like this, you should be able to verify that the domain
is managed by your server.

${if eq {${lookup dnsdb {$domain}{$value}{}}} \
         {$md5:YourSecretPassword|$domain} {1}{0}}


This will lookup the md5sum from the domain's TXT-record, and compare it
to the md5sum generated by your password and the domain-name, you can
use this in any condition-statement, where $domain is set.
By using the md5sum and a secret password, the whole thing should be
secure against any kind of abuse.

Well, maybe there are better ways, but this should work ;)

You could also try to use the result of
${lookup dnsdb{MX=example.com}}
with a clever match against your primary's server ip, but this could
still be abused (At least I can't think of a way to make this secure).

Nico


--
There are probably better ways to do that, but it would make the parser
more complex.  I do, occasionally, struggle feebly against complexity...
  :-)
             --Larry Wall in <7886@???>