For a long time now I've been trying to find a solution to the following problem.
I've read the FAQs, the filtering documentation, and the mailing list archives but still can't find the answer that I require.
I am using Exim v3.35 as supplied in the stable version of Debian (woody).
There is a list of local users that are only allowed to send email to other internal users.
However, the exception is that they will be able to send email to certain external email addresses.
Likewise, these internal users can only recieve emails from other internal users, and the specified list of external email addresses.
Controlling incoming email to the internal users is easy using the following directors (note that the corresponding transports
exist, but I haven't shown them).
The list of restricted users are in the /etc/exim/users.InternalEmail file, and the list of external addresses that are the
exceptions are in the /etc/exim/exceptions file:
# Allow internal restricted users to recieve email from any internal user.
#
restricted_user_from_internal:
driver = localuser
home_directory = /
transport = local_delivery
require_files = /etc/exim/users.InternalEmail
local_parts = lsearch;/etc/exim/users.InternalEmail
senders = :^[^@]+\$:*@ourdomain.com.au
# Allow internal restricted users to recieve email from addresses in an exceptions list.
#
restricted_user_from_exception:
driver = localuser
home_directory = /
transport = local_delivery
require_files = /etc/exim/users.InternalEmail:/etc/exim/exceptions
local_parts = lsearch;/etc/exim/users.InternalEmail
senders = lsearch;/etc/exim/exceptions
# Deny any other case trying to send to an internal restricted user.
#
deny_to_restricted_user:
driver = localuser
home_directory = /
transport = reject_email
require_files = /etc/exim/users.InternalEmail
local_parts = lsearch;/etc/exim/users.InternalEmail
# All other local users can have email delivered without restriction.
#
localuser:
driver = localuser
home_directory = /
transport = local_delivery
The outgoing requirements are much more difficult to meet however...
I can easily deny the restricted users from being able to email out at all by using a router like the following:
router_deny_restricted_lookuphost:
driver = lookuphost
transport = reject_email
senders = lsearch;/etc/exim/users.InternalEmail
But obviously that won't allow the restricted users to send to the external users in the exception list.
I haven't found any other tests I can put in the routers to allow the exceptions to work...
I've also tried a system filter that looks like the following (inplace of the above router):
# Exim filter
# A system filter to look at outgoing messages and allow restricted users to send to some exceptions.
if error_message then finish endif
if not first_delivery then finish endif
# We're only interested in filtering emails from restricted users.
#
if ${lookup{$sender_address}lsearch{/etc/exim/users.InternalEmail}{yes}{no}} is "yes"
then
# If the recipient is an internal user, then let the delivery happen.
#
if foranyaddress $recipients ($thisaddress ends "ourdomain.com.au")
then
finish
endif
# If the recipient is in an exceptions list, then let the delivery happen.
#
if foranyaddress $recipients (${lookup{$thisaddress}lsearch{/etc/exim/exceptions}{yes}{no}} is "yes")
then
finish
endif
# If processing gets here then the restricted user is not allowed to send to the address.
#
seen mail
subject "Unauthorised: Your message '$h_subject:'"
text "Your message failed to be delivered to one or more recipients"
endif
The problem with the above is that the recipients of the email are all lumped together and you can't seem to loop over each one and
test each outgoing email address on it's own merits...
The foranyaddress will work if the users only send to one address at a time.
However, if they include a mix of valid and invalid addresses, then the conditions are true and the email will be sent to all the
users; invalid or not.
Any help would be appreciated as this has been driving me insane for weeks now.
If possible, could any replies be cc:ed to jim.barber@??? please since I am not subscribed to the exim mailing list.
--
Jim Barber
