Re: [Exim] Sender-/Return-Path-Rewriting

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: David Woodhouse
Ημερομηνία:  
Προς: Martin Treusch von Buttlar
Υ/ο: exim-users
Αντικείμενο: Re: [Exim] Sender-/Return-Path-Rewriting
On Sun, 2004-02-08 at 20:14 +0100, Martin Treusch von Buttlar wrote:
> Hi,
>
> the following 4 routers implement a SRS as needed for proper SPF
> support. This is heavily based on work from Daniel Roethlisberger who
> implemented this for Exim3 [1].


Out of interest, why the thing with the domains:
        ${if eq {$domain}{$original_domain}\
                     {%$original_domain@$primary_hostname}\
                     {@$original_domain}}


Also, you don't seem to be doing much quoting... how does it fare with
addresses such as 'one-two=th$r\ee#fo\\ur##fi}v\e%six\@_seven@???'?

But you _do_ quote '#' and '='... why?

I'm playing with a variant based on this, but using a different domain
for _all_ RPR addresses rather than a prefix. Looks something like this
at the moment...

  # Verify, and extract return address from, an RPR-address
rpr_bounce:
  driver = redirect
  domains = RPR_DOMAIN
  allow_fail
  data = ${if !match {$local_part}{\N^rpr-([^-]*)-([^-]*)-([^-]*)-([0-9]*)-(.*)\N} \
        {:fail: Unknown RPR localpart \
#            (malformed)\
        } \
     {${if !eq {$1}{${hmac{md5}{RPR_SECRET}{$2-$3-$4-${quote_local_part:$5}}}} \
        {:fail: Unknown RPR localpart \
#            (HMAC should be ${hmac{md5}{RPR_SECRET}{$2-$3-$4-${quote_local_part:$5}}} not $1)\
        } \
    {${if <{$4}{$tod_epoch} \
        {:fail: Unknown RPR localpart \
#            (expired ${eval:$tod_epoch-$4} seconds ago)\
        } \
    {${sg {${sg {$5}{%#}{@}}}{%%}{%}} \
    }}}}}}
  headers_add = X-RPR-Return: DSN routed via $primary_hostname. See RPR_URL


# Rewrite reverse-path so that forwarding to SPF-afflicted domains doesn't
# break. We include $primary_hostname and $message_id so that we can track
# down the offending message in the log if it _does_ offend us, and an
# escaped form of $sender_address with a limited-lifetime hash cookie.
rpr_rewrite:
  senders = ! : ! *@+local_domains : ! *@+virtual_domains
  domains = ! +local_domains
  # Rewrite only if the sender domain actually advertises SPF records.
  # Actually it would be nicer if we could say 'only if we're not permitted
  # by the SPF record for this domain'
  condition = ${if match {${lookup dnsdb{txt=$sender_address_domain}{$value}fail}}{v=spf1} {1}}
  headers_add = "X-RPR-Rewrite: SMTP reverse-path rewritten from <$sender_address> by $primary_hostname"\n\tSee RPR_URL
  # Encode sender address by escaping % to %% and @ to %#, add expiry timestamp
  address_data = $primary_hostname-$message_id-\
        ${eval:$tod_epoch+RPR_DSN_TIMEOUT}-\
        ${quote_local_part:${sg {${sg {$sender_address} {%}{%%}}} {@}{%#}}}
  errors_to = rpr-${hmac{md5}{RPR_SECRET}{$address_data}}-$address_data@RPR_DOMAIN
  driver = redirect
  data = ${quote_local_part:$local_part}@$domain
# Straight to output; don't start routing again from the beginning.
  redirect_router = lookuphost


--
dwmw2