Re: [exim] relay and final rejection for exchange org.

Top Page
Delete this message
Reply to this message
Author: Ted Cooper
Date:  
To: Exim User's Mailing List
CC: Hancock, Scott
Subject: Re: [exim] relay and final rejection for exchange org.
>>-----Original Message-----
>>On Behalf Of Tony Finch
>>On Mon, 8 Aug 2005, Hancock, Scott wrote:
>>>Its not clear to me how that would prevent mail loops
>>caused by mail
>>>originating inside the organization and allow traffic
>>between them.
>>>Are you suggesting two lists defining who is on which exchange box?
>>
>>Yes, if that's your topology. You didn't explain it clearly before.
>>AFAICT from your vague explanation, the Exchange servers
>>don't know which addresses are valid so send everything to
>>the Exim machine. Something needs to know the list of valid
>>addresses, and since Exchange doesn't it'll have to be Exim.
>>Alternatively you might be able to do it by querying the AD:
>>see
>>http://www.exim.org/pipermail/exim-users/Week-of-Mon-20040816/
>> 075152.html
>>
>>Tony.


Hancock, Scott wrote:
> Please disregard that last email. I hit a shortcut for send.
>
> Exch1 = exchange server 1
> Exch2 = exchange server 2
>
> Incoming SMTP => sends to =>
> => Exim1 (clean email then relay, no local users) => send to =>
> => Exch1 (user not here send to Exch2) => send to =>
> => Exch2 (user not here either send to final exim) => send to =>
> => FinalExim (exim accepts mail but no local users for shared smtp
> domain, reject mail)
>
>
> That is the mail flow I'm trying to achieve. I think it is straight
> forward if I has another mail server.
>
> I'm trying to functionally make Exim1 be FinalExim based on if the mail
> came from Exch2 and its destined for the shared SMTP name space.
>
> I hope that helps.
>
> I think you're suggesting put Exim in the middle of the exchange servers
> with a list of local users. I think that might be possible too but I
> was hoping to work it this way if possible. I'm leaving out a bunch of
> people issues associated with this migration. I'm not the only one
> involved. It is very likely a person would be moved or created without
> the list being updated properly. I could batch the whole thing but this
> termination point seems to avoid all that.


I'm pretty sure there's a better solution to your problem.
Using the AD query that Tony mentioned, you should be able to ask the AD for
the valid users from both exchange boxes at RCPT time. Then, based on the
domain or the valid query (or set acl variable), route the mail to the correct
exchange box using manual routes.
This means that any invalid reciepients get rejected and they get rejected
before they spend 5 minutes being routed through exchange boxes and then being
bounced. Reduce the load etc. This will also stop you from being used a bounce
spam source.
(If you've ever been the recipient of the wrong end of an exchange dictionary
attack, you'll hate it as much as I do)

However, regarding your initial query - yes, it should be possible. Using a
seperate set of ACLs (restrict it to the one "hosts = ") accept it through to
the data stage (a bounce message now HAS to be created) and the use a
"decline" router with "no_more" set - voila, a bounce message.
IMHO, this is A Bad Idea. It goes against the whole idea of using exim (for me
anyway) - prevention of email crap and waste of bandwidth. You also become a
spam bounce source with an instant 4 extra recieved headers (lower score in
SA), and you've leaked all the internal information of your email servers to
the world.
Go with the AD solution.

Ted.