Re: [Exim] User list verify via file before sa-exim

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [Exim] User list verify via file before sa-exim
Hi lists, on Wed, 7 Jul 2004 14:43:58 -0500 you wrote:

> Once before someone said I should check users via either ldap or a file
> so that the smart-host doesn't pass everything on


Yes, because otherwise you are generating collateral spam for any "bad"
users which are subsequently rejected.

> do you have a example of how I can do this before it gets to spamd.


The easiest way, if the internal server *does* reject bad recipients (you
said it's running Exim, so the answer is probably yes), is to do

verify = recipient/callout

which will do an SMTP callout to the internal server (subject to caching).
So all you have to do is add "/callout" to your existing ACL line that
verifies the recipient.

> Verify via a file with a list of users would be great:>


Sure, if you want to do this then add a router something like this, before
your (presumed) manualroute router:

userlist_domains:
driver = redirect
allow_fail
data =
${lookup{$local_part}lsearch{/etc/exim/userlists/$domain.list}{$local_p
art@$domain}{:fail:Unknown user}}

where it is assuming that for each domain you handle, you have a userlist
in a text file /etc/exim/userlists/domain, and the list is simply a list
of valid local parts i.e.:

fred
bob
mary

> Things I that I know I can't use
> Verify =sender (this blocks way to many emails for us to use)


I find that very difficult to believe, unless you mean
"verify=sender/callout". A basic sender verification has been the default
not only in Exim but in other MTAs for years. I doubt you'll find many
people anywhere who don't do at least a basic DNS check.

> Helo checks        (this blocks way to many emails for us to use)


Again, what kind are you talking about? In my experience (and other people
on this list seem to see it similarly), it's easy to block a lot of spam
with some basic HELO checks (like checking for your own IP addresses or
domains) without blocking any real mail whatsoever. If you're talking
about full forward-backwards DNS checks then that may be a different
matter.


Tim