Re: [exim] Restricting sending/receipt

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Cole Tuininga
Datum:  
To: exim-users
Betreff: Re: [exim] Restricting sending/receipt
On Wed, 2005-09-14 at 18:49 +0100, Tony Finch wrote:
> If you do verify=recipient or verify=sender in the ACL then the address is
> run through the routers. I use this to record the final address, after
> aliases have been resolved, in $address_data, in order to implement some
> security restrictions.


I'm *very* close to having this configuration working. I'm hoping this
is the last issue.

Here's what I've done:

I set up a macro:

CE_ADDRDATA = user=$local_part \
              restricted=${lookup {$local_part} \
                           dbm {/etc/exim4/restricted_accounts.db} \
                           {yes} {no} } \
              valid_doms=${lookup {$local_part} \
                           dbm {/etc/exim4/restricted_accounts.db} }



The restricted_accounts.db is built from a file that looks like:
bob: company.com : mail.company.com

Each user potentially can have several valid exceptions to their
restriction, so I set it up as a list.


Then I set up a router that gets run after all address translation that
looks like this:

local_verify:
    driver           = accept
    verify_only
    domains          = localhost
    address_data     = CE_ADDRDATA



Now for the fun bit - the acl entries.

# First, make sure restricted users can't send out of the domain
  deny
     authenticated = *
     message       = You are not allowed to send outside of your domain
     condition     = ${if exists{/etc/exim4/restricted_accounts.db} }
   ! domains = ${lookup {$authenticated_id} \
                 dbm {/etc/exim4/restricted_accounts.db} \
                 {$value} {*} }
     log_message   = Blocked message from restricted user
\"$authenticated_id\" to domain \"$domain\".  User restricted to sending
to
\"${lookup{$authenticated_id}dbm{/etc/exim4/restricted_accounts.db}}\".


# If you're a restricted user and the sender isn't authenticated, fail
  deny
    verify        = recipient
    message       = Only authenticated senders permitted to send to this
user.
  ! authenticated = *
    condition     = ${extract {restricted}{$address_data} }
    log_message   = Non authenticated delivery failed for local
restricted user \"${extract {user}{$address_data} }\".


# Now make sure restricted users don't receive from outside their domain
  deny
    verify         = recipient
    message        = User is restricted from receiving external email.
    condition      = ${extract {restricted}{$address_data} }
  ! sender_domains = ${extract {valid_doms}{$address_data} }
    log_message    = Blocked message for restricted user
\"${extract{user}{$address_data} }\" from domain
\"$sender_address_domain\".  User restricted to receiving from
\"${extract {valid_doms}{$address_data} }\".



Here's the problem. The last acl rule doesn't seem to recognize
anything besides the first item in any given list. I'm sure this is
just some kind of issue where I need to escape something properly, but
I'm not quite sure how. I tried changing the restricted users file to
look like this:

"bob: company.com : mail.company.com"

(added quotes around it) but then the first acl (the one that restricts
outbound) didn't work.

Any thoughts?

Thanks again for the help folks! I'm very close to having this all
working right!

--
"Maybe I'll be able to get a job when I graduate..."
-Linus Torvalds

Cole Tuininga
Lead Developer
Code Energy, Inc
colet@???
PGP Key ID: 0x43E5755D