On Mon, Apr 05, 2004 at 05:14:28PM +0200, Bauer, Felix wrote:
> > Q: Do the exchange server and exim box share a domain, so that an
> > account somebody@??? might be on one or the other? Or do they
> > have entirely separate domains?
>
> A: Yes, they are in the same subnet, both with the same dns-suffix and
> no somebody@??? only exists on AD/Exchange. The exim-mailserver
> is setup on my companies firewall for initial testing and will move to
> a DMZ later, but will never carry users mailboxes only act as relay for
> spam/virus checking.
Well, assuming you can configure Exchange to reject mail for invalid
accounts at the smtp conversation stage, then you can, if you like,
avoid ldap altogether and use smtp callout verification. The way this
works is, when Exim is receiving a message, it checks each recipient
with the machine that it will ultimately deliver the message to. If the
destination machine rejects the message, Exim rejects it.
Now, if you can't configure Exchange to do that, read no further.
According to a recent thread in this list, Exchange 2003 can do it quite
easily while (iirc) Exchange 2000 can be persuaded with a bit of
kicking. If you manage that, then a config something like this will
work:
-----------------------------------------------------------------------
domainlist relay_domains = main.mail.domain
domainlist local_domains = @ : @[]
domainlist lan_hosts = internal : hosts : allowed.to.send
acl_smtp_rcpt = check_recipient
primary_hostname = dns.name.for.this.box
begin acl
check_recipient:
accept hosts = :
deny local_parts = ^.*[@%!/|] : ^\\.
accept local_parts = postmaster
domains = +local_domains : +relay_domains
deny hosts = !+lan : *
!verify = sender
deny domains = +relay_domains
!verify = recipient/defer_ok/callout=no_cache
accept domains = +local_domains
accept domains = +relay_domains
accept hosts = +lan_hosts
deny message = relay not permitted
begin routers
this_machine:
driver = redirect
domains = +local_domains
local_parts = postmaster : root
data = admin.address@???
no_more
main_domain:
driver = manualroute
domains = +relay_domains
route_list = * exchange.box.name.or.address
transport = remote_smtp
external_mail:
driver = dnslookup
domains = ! +local_domains : ! +relay_domains
transport = direct_smtp
begin transports:
direct_smtp:
driver = smtp
-------------------------------------------------------------------------
Now, this is a very minimal configuration that does what your current
set-up requires. It doesn't deliver any mail locally: mail for root or
postmaster on the local machine is redirected to an administrative
address somewhere else (e.g. your exchange box). The key point is the
work done by these two lines:
deny domains = +relay_domains
!verify = recipient/defer_ok/callout=no_cache
What that does is tell Exim to check with the Exchange box for every
incoming recipient and see if it will be accepted. If not, it rejects
that recipient. Since only valid recipients are accepted, you don't
have to worry at the router stage about doing any testing. Anything
with your main domain address that makes it to the main_domain router is
kosher.
A few notes:
* the defer_ok means that it should accept mail if it can't
find the Exchange box to verify.
* The =nocache option is there just because of a bug in the
latest version of Exim. If you are using an earlier version
than 4.31, you don't need it.
* If your internal mail system becomes any more complex, this
will need some reworking
* This example config does no virus checking or any serious spam
filtering.
* I have not tested this config
But it does do what you want, with no LDAP lookups.
--
Bruce
Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.
