Re: [exim] Restricting sending/receipt

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Cole Tuininga
CC: exim-users
Subject: Re: [exim] Restricting sending/receipt
On Wed, 14 Sep 2005, Cole Tuininga wrote:
>
> CE_ADDRDATA = user=$local_part \
>               restricted=${lookup {$local_part} \
>                            dbm {/etc/exim4/restricted_accounts.db} \
>                            {yes} {no} } \
>               valid_doms=${lookup {$local_part} \
>                            dbm {/etc/exim4/restricted_accounts.db} }

>
> The restricted_accounts.db is built from a file that looks like:
> bob: company.com : mail.company.com
>
> # Now make sure restricted users don't receive from outside their domain
>   deny
>     verify         = recipient
>     message        = User is restricted from receiving external email.
>     condition      = ${extract {restricted}{$address_data} }
>   ! sender_domains = ${extract {valid_doms}{$address_data} }
>     log_message    = Blocked message for restricted user
> \"${extract{user}{$address_data} }\" from domain
> \"$sender_address_domain\".  User restricted to receiving from
> \"${extract {valid_doms}{$address_data} }\".

>
> Here's the problem. The last acl rule doesn't seem to recognize
> anything besides the first item in any given list. I'm sure this is
> just some kind of issue where I need to escape something properly, but
> I'm not quite sure how.


${extract has a very loose interpretation of whitespace and = signs, so it
can be easy to make a mistake (see section 11.5 of the spec) [1].
I *suspect* that it is not parsing your domain list as a single ${extract
item; you can check this by using exim -d+expand. Probably the right thing
to do is to quote the domain list like this
    bob:  "company.com : mail.company.com"


You tried this
    "bob:  company.com : mail.company.com"
which Exim interprets as a single long lookup key without any
corresponding value. (See section 9.2 of the spec.)


[1] For example, in my configuration file:

HERMES_ADDRDATA    = user=$local_part \
          suffix=${if eq{}{$local_part_suffix} \
                     {""} {$local_part_suffix} } \
          secure=${lookup {$local_part} \
                   cdb    {USERS/insecure.cdb} \
                          {no} {yes} }


The fiddling with $local_part_suffix is because a simple
suffix=$local_part_suffix fails if there is no suffix. The resulting
string looks like user=fanf2 suffix= secure=yes which ${extract parses
as user="fanf2" suffix="secure=yes"

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}