On Wed, 2005-09-14 at 18:49 +0100, Tony Finch wrote:
> If you do verify=recipient or verify=sender in the ACL then the address is
> run through the routers. I use this to record the final address, after
> aliases have been resolved, in $address_data, in order to implement some
> security restrictions.
I'm *very* close to having this configuration working. I'm hoping this
is the last issue.
Here's what I've done:
I set up a macro:
CE_ADDRDATA = user=$local_part \
restricted=${lookup {$local_part} \
dbm {/etc/exim4/restricted_accounts.db} \
{yes} {no} } \
valid_doms=${lookup {$local_part} \
dbm {/etc/exim4/restricted_accounts.db} }
The restricted_accounts.db is built from a file that looks like:
bob: company.com : mail.company.com
Each user potentially can have several valid exceptions to their
restriction, so I set it up as a list.
Then I set up a router that gets run after all address translation that
looks like this:
local_verify:
driver = accept
verify_only
domains = localhost
address_data = CE_ADDRDATA
Now for the fun bit - the acl entries.
# First, make sure restricted users can't send out of the domain
deny
authenticated = *
message = You are not allowed to send outside of your domain
condition = ${if exists{/etc/exim4/restricted_accounts.db} }
! domains = ${lookup {$authenticated_id} \
dbm {/etc/exim4/restricted_accounts.db} \
{$value} {*} }
log_message = Blocked message from restricted user
\"$authenticated_id\" to domain \"$domain\". User restricted to sending
to
\"${lookup{$authenticated_id}dbm{/etc/exim4/restricted_accounts.db}}\".
# If you're a restricted user and the sender isn't authenticated, fail
deny
verify = recipient
message = Only authenticated senders permitted to send to this
user.
! authenticated = *
condition = ${extract {restricted}{$address_data} }
log_message = Non authenticated delivery failed for local
restricted user \"${extract {user}{$address_data} }\".
# Now make sure restricted users don't receive from outside their domain
deny
verify = recipient
message = User is restricted from receiving external email.
condition = ${extract {restricted}{$address_data} }
! sender_domains = ${extract {valid_doms}{$address_data} }
log_message = Blocked message for restricted user
\"${extract{user}{$address_data} }\" from domain
\"$sender_address_domain\". User restricted to receiving from
\"${extract {valid_doms}{$address_data} }\".
Here's the problem. The last acl rule doesn't seem to recognize
anything besides the first item in any given list. I'm sure this is
just some kind of issue where I need to escape something properly, but
I'm not quite sure how. I tried changing the restricted users file to
look like this:
"bob: company.com : mail.company.com"
(added quotes around it) but then the first acl (the one that restricts
outbound) didn't work.
Any thoughts?
Thanks again for the help folks! I'm very close to having this all
working right!
--
"Maybe I'll be able to get a job when I graduate..."
-Linus Torvalds
Cole Tuininga
Lead Developer
Code Energy, Inc
colet@???
PGP Key ID: 0x43E5755D
