Re: [Exim] Forwarding unknown users to another host

Top Page
Delete this message
Reply to this message
Author: Bryce Newall
Date:  
To: Tabor J. Wells
CC: exim-users
Subject: Re: [Exim] Forwarding unknown users to another host
Hello Tabor and everyone again,

Thanks for all the great advice! Unfortunately, some of the circumstances
are changing now, making some of this end up kind of moot. Also, a new
requirement has come up, and I'm not sure how to handle it.

To start off, the FreeBSD machine is going to relocate. Instead of
continuing to be the company's firewall/gateway, it is going to be
colocated at an ISP, so it will no longer be physically on the same
network. (A Linksys router is going into the office in place of the
FreeBSD box to act as the internet gateway.) With that in mind, I don't
know if doing LDAP queries would still be feasible, since they'd be going
across the internet and would also have to penetrate the firewall. If it
is feasible, then my next question may become moot, but here goes.

Second, the setup is a little bit more complicated than I thought. There
are users with <mydomain>.org addresses on the FreeBSD machine, and there
are users with <mydomain>.org addresses on the Exchange 2000 server. But
since the Exchange server thinks it's authoritative for <mydomain>.org, if
someone in the office tries to e-mail one of the addresses that exists
only on the FreeBSD machine, the Exchange server will bounce it back to
the sender as undeliverable (unknown user). I could configure Exchange to
relay all outbound mail that it doesn't recognize through a smart host and
have it send to the FreeBSD machine, but then we'd have another problem:
The FreeBSD box forwards mail for all unknown recipients for
<mydomain>.org to the Exchange server, and the Exchange server would be
forwarding mail for all unknown recipients to the FreeBSD machine, so if
someone e-mailed an invalid @<mydomain>.org address, the message would get
stuck in a loop between the Exchange and FreeBSD, and would never bounce
back to the sender.

One workaround would be to have the MX for <mydomain>.org pointed at the
Exchange server rather than the FreeBSD server, so that all mail would try
to first hit the Exchange server before being forwarded to the FreeBSD
box. (This would require removing the "unknown" router from the FreeBSD
box, of course.) However, I don't like that idea because 1) the office
doesn't have that much bandwidth to waste redirecting mail back and forth,
and 2) I'd rather keep Exchange from having to deal with that and let the
FreeBSD box do it, since the Exchange server is also busy being a domain
controller and file/print server and whatnot.

So, I guess what I'm trying to find out is, can I have the following
"rules" work:

* All outside mail comes to FreeBSD machine first
* If recipient does not exist on FreeBSD machine, forward to Exchange
* All inside mail goes to Exchange first
* If recipient does not exist in Exchange, forward to FreeBSD box

Any thoughts on all this?

Thanks for all your help!


On Fri, 13 Feb 2004, Tabor J. Wells wrote:

> > I have a FreeBSD machine acting as an internet gateway/firewall and mail
> > server. Behind it, on the internal network, is a Windows 2000 server
> [snip]
>
> Rather than do this why not just lookup the addresses in Exchange via LDAP
> lookups against Active Directory after handling the local accounts and
> virtual domains?
>
> This is what I do. My last two routers look like:
>
> exchangeProxyAddressesLookup:
> driver = redirect
> data = ${lookup ldap {ldap:///CN=Users,DC=EXAMPLE,DC=com?mail?sub?(proxyAddresses=SMTP:${quote_ldap:$local_part}@${quote_ldap:$domain})}}
> domains = dbm;/etc/exim/db/localdomains.db
> verify_recipient
> self = pass
> pass_router = exchangeRoute
> no_more
>
> exchangeRoute:
> driver = manualroute
> transport = remote_smtp
> route_data = ${lookup{$domain}dbm{/etc/exim/db/localdomains.db}}
>
> where localdomains.db contains key/value pairs for the domain/ip address of
> the exchange server it is routed to.
>
> This also has the benefit of allowing me to reject bad addresses at SMTP
> time rather than let exchange accept it and then try and relay a bounce
> message back through the exim servers.
>
> Tabor
>
> --
> --------------------------------------------------------------------
> Tabor J. Wells                                     twells@???
> Fsck It!                 Just another victim of the ambient morality

>


*********************************************************
*    Bryce Newall    *    Email: data@???    *
*               www.dreamhaven.org/~data                *
*  "Computers make very fast, very accurate mistakes."  *
*********************************************************