Hi,
I've setup our mail server with Exim 4.30 and everything works fine with
the default acl configuration, except if I connect to my server and try to
send
mail to the outside world (then I get the error: "relaying not
permitted"). Incoming works fine...
What I want to do is to have people with a from address of @oursite.com
be able to send email to any other domain. We can't do SMTP auth just
yet, although that is the plan in a month or so. From the exim book, I
know
that: "You should never use a test on a sender address as the only
condition
for accepting a message, because envelope sender addresses can be
trivially forged". But I'm willing to accept it as a temporary risk.
What I've done is to create a file of domains that should be able to
relay through our server (like oursite.com, sistercompany.com etc).
When mail is sent, both the sender's address
as well as the recipient address is parsed through the acl (I use the
default config "acl_smtp_rcpt = acl_check_rcpt")? Is that right?
Assuming that the recipient address is also parsed through the acl
(which I'm pretty sure it is) and considering the fact that I haven't
implemented smtp authentication yet, what checks could I add to my acl
for allowing outgoing relaying from @oursite.com addresses?
I can't have a list of hosts (here I'm assuming host means the source pc
that the mail comes from) that I allow to send mail, because we've got
quite a lot of users - and they're not all on our LAN (most of the time
they're at client sites).
What I've added to my acl ( but I don't think it's sufficient) is the
following:
accept domains = !+rbl_domains
accept sender_domains = +local_domains
(the above actually then lets me send outgoing mail, and I don't get the
"relaying not permitted" error)
where rbl_domains are blacklisted domains.
Thus, I accept mail coming from all domains except those that are
blacklisted, and then I make sure that the sender domain is a local
domain.
Under exim 3 I just had something like this, which did the job:
relay_domains = partial-dbm;/usr/local/exim/etc/exim/relay.domains.dbm
I include the full configuration file below.
Your help will be greatly appreciated.
Liezel Welman
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
primary_hostname = mailserver.ourdomain.com
domainlist local_domains = dbm;/usr/local/exim/etc/exim/local.domains.dbm
domainlist relay_to_domains =
partial-dbm;/usr/local/exim/etc/exim/relay.domains.dbm
domainlist rbl_domains = dnsbl.njabl.org/reject : \
bl.spamcop.net/warn : \
blackholes.easynet.nl/warn : \
sbl.spamhaus.org/reject : \
list.dsbl.org/warn : \
relays.ordb.org/warn
hostlist relay_from_hosts =
dbm;/usr/local/exim/etc/exim/host.accept.relay.dbm
hostlist hosts_avoid_tls = dbm;/usr/local/exim/etc/exim/hostsavoidtls.dbm
hostlist local_hosts = dbm;/usr/local/exim/etc/exim/local.domains.dbm
hostlist relay_hosts = dbm;/usr/local/exim/etc/exim/relay.domains.dbm
acl_smtp_rcpt = acl_check_rcpt
never_users = root
host_lookup = 0.0.0.0/0
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
# This option cancels (removes) frozen messages that are older than a week.
timeout_frozen_after = 7d
system_filter = /usr/local/exim/etc/central-filter
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_check_rcpt:
accept hosts = :
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
require verify = sender
accept domains = +local_domains
endpass
verify = recipient
# I added these two
accept domains = !+rbl_domains
accept sender_domains = +local_domains
accept domains = +relay_to_domains
endpass
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
sms_deliver:
driver = manualroute
domains = ! +local_domains
route_list = domainsms.co.za domainsms.co.za bydns
transport = remote_smtp_sms
special_domains:
driver = manualroute
domains = ! +local_domains
route_data =
${lookup{$domain}lsearch{/usr/local/exim/etc/exim/domains.route}}
transport = remote_smtp
# The remaining routers handle addresses in the local domain(s).
system_aliases:
driver = redirect
allow_fail
allow_defer
data =
${lookup{$local_part}lsearch{/usr/local/exim/etc/exim/$domain.alias}}
domains = dbm;/usr/local/exim/etc/exim/local.domains.dbm
retry_use_local_part
sms_aliases:
#!!# suffix renamed local_part_suffix
driver = redirect
allow_defer
allow_fail
data = ${lookup mysql {select email from mail_alias_email, mail_domains,
mail_aliases where domain='$domain' and alias='$local_part' and
mail_aliases.mdid=mail_domains.mdid and
mail_aliases.maid=mail_alias_email.maid}}
errors_to = liezel.welman@???
headers_add = X-episms: $original_local_part@$original_domain
local_part_suffix = -sms
retry_use_local_part
smartuser:
driver = accept
local_parts = dbm;/usr/local/exim/etc/exim/local.parts.dbm
retry_use_local_part
transport = local_delivery
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# A transport is used only when referenced from a router that successfully
# handles an address.
begin transports
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
hosts_avoid_tls = +hostsavoidtls
local_delivery:
driver = pipe
command = "/usr/local/cyrus/bin/deliver \
-m ${substr_1:${local_part_suffix}} -- ${local_part}"
group = mail
log_output
return_output
user = mail
delivery_date_add
envelope_to_add
return_path_add
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add envelope_to_add
return_path_add
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration
file.
begin authenticators
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.
# begin local_scan
# End of Exim configuration file