I've migrated all my server from debian woody to debian sarge some
weeks ago, and so i've moved my server from exim3 to exim4.
My exim3 config file was build starting from debian default ad adding
features, most notably a redirection/aliases looking up data in ldap
database.
Building the exim4 config file i've merged the debian default file
(cleaned up by most of the conditional stuff, i'm using one static file
and no debconf) adding some stuff from exim3 file.
I've tested a bit, and seems that all was working, but yesterday i've
hit a major flaw, that i'm not able to solve/understand.
My snippet for ldap redirection are:
USER_LDAP_REDIRECT_QUERY = ldap:///ou=People,dc=sv,dc=lnf,dc=it?mailRoutingAddress?sub?(uid=$local_part)}
QualifyDomain = sv.lnf.it
[...]
.ifdef USER_LDAP_REDIRECT_QUERY
user_ldap_redirect:
driver = redirect
domains = QualifyDomain
data = ${lookup ldapm {USER_LDAP_REDIRECT_QUERY}
check_ancestor
#check_local_user
#no_verify
.endif
but i've verified my trouble also using plain /etc/aliases (
system_aliases router, copied from debian default untouched), so seems
no a problem about this.
Some behaviour:
+ if i put check_local_user all work, apart from users for which i've
removed POSIX and Samba data (old employee that exist in ldap tree
only to have a forward to some other mailbox), and this is expected
reading the exim docs
+ if i put more that one mailRoutingAddress field, all work, again as
expected
+ if i put local redirection, all works.
+ if i put ``remote'' redirection (an email external to our
organization), redirecion fail ever, with or without no_verify
+ if i put ``internal'' redirection (an email to another branch of our
organization), redirection fail if i set no_verify (?!)
Clearly seems not a router problem, if i test addresses in -bt all
redirection works as expected, fail only in -bv mode (and on normal use
;).
This server is an ``internal'' server, that handle mail (via mx or
explicit routing) to other offices in our organization, all offices
connected via VPN. For internal routing i've setup callout
verification.
All mail not ``internal'' (internet) are redirected to a mail
router/firewall that send to the internet.
There's only two ACL that handle recipient verification, pratically
copied by the debian exim default:
accept
domains = +local_domains
endpass
message = unknown user
verify = recipient
accept
domains = +relay_to_domains
endpass
.ifdef CHECK_RCPT_GIVE_UNKNOWN_USER
message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}}
.else
message = unrouteable address
.endif
verify = recipient/callout
where +local_domains contains... local domains ;), and +relay_to_domains
pratically all other internal domains, i'm one of the two main internal
mail hub.
The verification error hit the first one, so seems that after the
expansion the expanded address (remote) are checked as if it is on
+local_domains.
I've to explicitly ``reset'' the acl? what i'm missing/doing wrong?
Many thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
gaio(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Grazie parlamento europeo!
http://punto-informatico.it/p.asp?i=53925&r=PI
