Re: [exim] Exim with Mailscanner Cyrus IMAP

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Dennis Davis
Dátum:  
Címzett: Erik Myllymaki
CC: exim-users
Tárgy: Re: [exim] Exim with Mailscanner Cyrus IMAP
>Date: Thu, 17 Mar 2005 05:52:12 -0800
>From: Erik Myllymaki <erik.myllymaki@???>
>To: "Exim-Users (E-mail)" <exim-users@???>
>Subject: [exim] Exim with Mailscanner Cyrus IMAP
>
>I am using Mailscanner with Exim v4.28 delivering to Cyrus IMAP.


I'd advise upgrading to Exim-4.50. Some of what I describe may
not work in much earlier versions of exim.

>The first Exim process leaves mail in a queue where Mailscanner
>takes over and scans for spam/virus and then calls the second
>Exim process.
>
>Trouble is, mailnot destined to a valid mailbox or alias gets through
>to the second process where I would really like it to be rejected at
>the first. Various tools for preventing dictionay attacks also
>seem to realy on knowing at the first process whether the intended
>recipient is valid or not.
>
>Any tips on how to get this done? Most info I have found is for
>checking for valid local accounts (mbox) or for setups only using
>single Exim processes with IMAP.
>
>Just a pointer to the FM would be appreciated.


I'm using a setup with single Exim processes delivering to a Cyrus
IMAP. This isn't a production server, I'm just experimenting with
it. But the following may (ie I can't really test it and want to
be cautious :-) work with your setup. Something very similar is
certainly working with my experimental setup.

(These ideas aren't original to me. I got them from someone who
posted the URL of their HOWTO on this list. Unfortunately I've
lost the URL and so can't give proper acknowledgement. Damn.)

Most descriptions of how to deliver email to Cyrus describe using
the Cyrus deliver program to do the job. However that's not the
only way. You can get exim to deliver to Cyrus by having it deliver
to a Cyrus lmtpd daemon listening on the loopback address. Or a
Cyrus lmtpd daemon listening on another machine if your IMAP server
is elsewhere. Even if you don't want to deliver to Cyrus using
lmtpd, you can certainly use it to verify recipients.

So alter your Cyrus configuration file (/etc/cyrus.conf) to have an
lmtpd daemon listening for network connections. Include something
like:


# Note the use of the "-a" argument to pre-authorize connections.
# For this to be viable, our /etc/hosts.allow file *must* restrict
# connections to trusted hosts.
        lmtp            cmd="lmtpd -a" listen="lmtp" prefork=25



in the SERVICES section.

The above implies your Cyrus software must also be built against
the tcpwrapper library. If you aren't accepting lmtpd connections
from other machines, make sure your /etc/hosts.allow file restricts
connections to only the loopback address. Something like:


# loopback address.
lmtp: 127.: ALLOW
#
# Final polite "no-thanks" rejection for everything not covered
# above.
ALL: ALL: DENY


at the end of /etc/hosts.allow should do.

Now in your *first* exim process that's accepting messages in
queue-only mode, you can include a router of the form:


# Router for our Cyrus domain.
cyrus_domain:
driver = accept
domains = +cyrus_domain
transport = cyrus_ltmp
verify_only = true
more = false


and a transport:


# Transport to deliver mail to the Cyrus IMAP server. We're
# going to shovel this down the loopback address using the ltmp
# protocol.
cyrus_ltmp:
driver = smtp
protocol = lmtp
hosts = 127.0.0.1
hosts_override = true
allow_localhost = true


and finally somewhere in your acl_smtp_rcpt ACL you can say:


  # Verify the recipient.  We don't want to accept stuff and
  # then find the Cyrus IMAP service won't accept it.
  deny    message = unroutable address.
          domains = +cyrus_domain
          ! verify = recipient/callout=defer_ok,random



The ",random" is probably unnecessary. The "callout=defer_ok" will
ensure exim accepts messages when the Cyrus server is down. So just
say:

          ! verify = recipient


if you don't want this to happen.

It's probably worth reading Sections 39.30 to 39.35 of the Fine
Manual.  These Sections deal with verification issues, callout
caching etc.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@???               Phone: +44 1225 386101