[exim] Trouble/misunderstanding verifiying...

Etusivu
Poista viesti
Vastaa
Lähettäjä: Marco Gaiarin
Päiväys:  
Vastaanottaja: exim-users
Aihe: [exim] Trouble/misunderstanding verifiying...

I've migrated all my server from debian woody to debian sarge some
weeks ago, and so i've moved my server from exim3 to exim4.

My exim3 config file was build starting from debian default ad adding
features, most notably a redirection/aliases looking up data in ldap
database.

Building the exim4 config file i've merged the debian default file
(cleaned up by most of the conditional stuff, i'm using one static file
and no debconf) adding some stuff from exim3 file.

I've tested a bit, and seems that all was working, but yesterday i've
hit a major flaw, that i'm not able to solve/understand.

My snippet for ldap redirection are:

  USER_LDAP_REDIRECT_QUERY = ldap:///ou=People,dc=sv,dc=lnf,dc=it?mailRoutingAddress?sub?(uid=$local_part)}
  QualifyDomain = sv.lnf.it
  [...]
  .ifdef USER_LDAP_REDIRECT_QUERY
  user_ldap_redirect:
    driver = redirect
    domains = QualifyDomain
    data = ${lookup ldapm {USER_LDAP_REDIRECT_QUERY}
    check_ancestor
    #check_local_user
    #no_verify
  .endif


but i've verified my trouble also using plain /etc/aliases (
system_aliases router, copied from debian default untouched), so seems
no a problem about this.

Some behaviour:

+ if i put check_local_user all work, apart from users for which i've
removed POSIX and Samba data (old employee that exist in ldap tree
only to have a forward to some other mailbox), and this is expected
reading the exim docs
+ if i put more that one mailRoutingAddress field, all work, again as
expected
+ if i put local redirection, all works.
+ if i put ``remote'' redirection (an email external to our
organization), redirecion fail ever, with or without no_verify
+ if i put ``internal'' redirection (an email to another branch of our
organization), redirection fail if i set no_verify (?!)

Clearly seems not a router problem, if i test addresses in -bt all
redirection works as expected, fail only in -bv mode (and on normal use
;).


This server is an ``internal'' server, that handle mail (via mx or
explicit routing) to other offices in our organization, all offices
connected via VPN. For internal routing i've setup callout
verification.
All mail not ``internal'' (internet) are redirected to a mail
router/firewall that send to the internet.

There's only two ACL that handle recipient verification, pratically
copied by the debian exim default:

  accept
    domains = +local_domains
    endpass
    message = unknown user
    verify = recipient


  accept
    domains = +relay_to_domains
    endpass
    .ifdef CHECK_RCPT_GIVE_UNKNOWN_USER
    message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}}
    .else
    message = unrouteable address
    .endif
    verify = recipient/callout


where +local_domains contains... local domains ;), and +relay_to_domains
pratically all other internal domains, i'm one of the two main internal
mail hub.


The verification error hit the first one, so seems that after the
expansion the expanded address (remote) are checked as if it is on
+local_domains.


I've to explicitly ``reset'' the acl? what i'm missing/doing wrong?


Many thanks.

-- 
dott. Marco Gaiarin                    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  gaio(at)sv.lnf.it        tel +39-0434-842711    fax +39-0434-842797


            Grazie parlamento europeo!
        http://punto-informatico.it/p.asp?i=53925&r=PI