[Exim] Outgoing relaying

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Liezel Welman
Date:  
À: 'exim-users@exim.org'
Sujet: [Exim] Outgoing relaying
Hi,

I've setup our mail server with Exim 4.30 and everything works fine with
the default acl configuration, except if I connect to my server and try to
send
mail to the outside world (then I get the error: "relaying not
permitted"). Incoming works fine...

What I want to do is to have people with a from address of @oursite.com
be able to send email to any other domain. We can't do SMTP auth just
yet, although that is the plan in a month or so. From the exim book, I
know
that: "You should never use a test on a sender address as the only
condition
for accepting a message, because envelope sender addresses can be
trivially forged". But I'm willing to accept it as a temporary risk.

What I've done is to create a file of domains that should be able to
relay through our server (like oursite.com, sistercompany.com etc).

When mail is sent, both the sender's address
as well as the recipient address is parsed through the acl (I use the
default config "acl_smtp_rcpt = acl_check_rcpt")? Is that right?

Assuming that the recipient address is also parsed through the acl
(which I'm pretty sure it is) and considering the fact that I haven't
implemented smtp authentication yet, what checks could I add to my acl
for allowing outgoing relaying from @oursite.com addresses?

I can't have a list of hosts (here I'm assuming host means the source pc
that the mail comes from) that I allow to send mail, because we've got
quite a lot of users - and they're not all on our LAN (most of the time
they're at client sites).

What I've added to my acl ( but I don't think it's sufficient) is the
following:

accept domains        = !+rbl_domains
accept sender_domains = +local_domains


(the above actually then lets me send outgoing mail, and I don't get the
"relaying not permitted" error)

where rbl_domains are blacklisted domains.

Thus, I accept mail coming from all domains except those that are
blacklisted, and then I make sure that the sender domain is a local
domain.

Under exim 3 I just had something like this, which did the job:
relay_domains = partial-dbm;/usr/local/exim/etc/exim/relay.domains.dbm

I include the full configuration file below.

Your help will be greatly appreciated.


Liezel Welman


######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################



primary_hostname = mailserver.ourdomain.com


domainlist local_domains = dbm;/usr/local/exim/etc/exim/local.domains.dbm
domainlist relay_to_domains =
partial-dbm;/usr/local/exim/etc/exim/relay.domains.dbm
domainlist rbl_domains = dnsbl.njabl.org/reject : \
        bl.spamcop.net/warn : \
        blackholes.easynet.nl/warn : \
        sbl.spamhaus.org/reject : \
        list.dsbl.org/warn : \
        relays.ordb.org/warn
hostlist   relay_from_hosts =
dbm;/usr/local/exim/etc/exim/host.accept.relay.dbm
hostlist   hosts_avoid_tls = dbm;/usr/local/exim/etc/exim/hostsavoidtls.dbm
hostlist   local_hosts = dbm;/usr/local/exim/etc/exim/local.domains.dbm
hostlist   relay_hosts = dbm;/usr/local/exim/etc/exim/relay.domains.dbm



acl_smtp_rcpt = acl_check_rcpt


never_users = root


host_lookup = 0.0.0.0/0


rfc1413_hosts = *
rfc1413_query_timeout = 0s


ignore_bounce_errors_after = 2d

# This option cancels (removes) frozen messages that are older than a week.

timeout_frozen_after = 7d

system_filter = /usr/local/exim/etc/central-filter


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

acl_check_rcpt:

accept hosts = :

  deny    domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


  deny    domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  require verify        = sender


  accept  domains       = +local_domains
          endpass
          verify        = recipient


# I added these two

  accept domains        = !+rbl_domains
  accept sender_domains = +local_domains


  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient


  accept  hosts         = +relay_from_hosts


accept authenticated = *

  deny    message       = relay not permitted




######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################


begin routers

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

sms_deliver:
driver = manualroute
domains = ! +local_domains
route_list = domainsms.co.za domainsms.co.za bydns
transport = remote_smtp_sms

special_domains:
driver = manualroute
domains = ! +local_domains
route_data =
${lookup{$domain}lsearch{/usr/local/exim/etc/exim/domains.route}}
transport = remote_smtp

# The remaining routers handle addresses in the local domain(s).


system_aliases:
driver = redirect
allow_fail
allow_defer
data =
${lookup{$local_part}lsearch{/usr/local/exim/etc/exim/$domain.alias}}
domains = dbm;/usr/local/exim/etc/exim/local.domains.dbm
retry_use_local_part

sms_aliases:
#!!# suffix renamed local_part_suffix
driver = redirect
allow_defer
allow_fail
data = ${lookup mysql {select email from mail_alias_email, mail_domains,
mail_aliases where domain='$domain' and alias='$local_part' and
mail_aliases.mdid=mail_domains.mdid and
mail_aliases.maid=mail_alias_email.maid}}
errors_to = liezel.welman@???
headers_add = X-episms: $original_local_part@$original_domain
local_part_suffix = -sms
retry_use_local_part

smartuser:
driver = accept
local_parts = dbm;/usr/local/exim/etc/exim/local.parts.dbm
retry_use_local_part
transport = local_delivery

localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user



######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################


# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports

# This transport is used for delivering messages over SMTP connections.

remote_smtp:
driver = smtp
hosts_avoid_tls = +hostsavoidtls

local_delivery:
  driver = pipe
  command = "/usr/local/cyrus/bin/deliver \
            -m ${substr_1:${local_part_suffix}} -- ${local_part}"
  group = mail
  log_output
  return_output
  user = mail
  delivery_date_add
  envelope_to_add
  return_path_add


address_pipe:
driver = pipe
return_output


address_file:
driver = appendfile
delivery_date_add envelope_to_add
return_path_add

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.

# Domain               Error       Retries
# ------               -----       -------


*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h




######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


# There are no rewriting specifications in this default configuration file.

begin rewrite


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


# There are no authenticator specifications in this default configuration
file.
begin authenticators



######################################################################
#                   CONFIGURATION FOR local_scan()                   #
######################################################################


# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.

# begin local_scan


# End of Exim configuration file