Re: [exim] alternative to local_part_suffix in ACL?

Pàgina inicial
Delete this message
Reply to this message
Autor: Chris Knadle
Data:  
A: exim-users
Assumpte: Re: [exim] alternative to local_part_suffix in ACL?
On Wednesday 01 February 2006 12:16, Marc Sherman wrote:
> Chris Knadle wrote:
> >    If I understand the above, this would involve an ACL after the message
> > has been recieved but before being sent so that it can be rejected before
> > the OK at the end of the SMTP session.  Is that correct?

>
> No. Read about address verification in ACLs:
> http://www.exim.org/exim-html-4.60/doc/html/spec.html/ch39.html#SECTaddress
>verification


Okay, I see it. I never needed to mangle the address in the ACL in the
first place, because a 'verify = recipient/<options>' passes the address
through the routers to do the verification. Since the ACL calling for
verification happens at RCPT time, so does the check through the routers.
That works -- I'll do that. I'll probably use the success_on_redirect
option during the verification, which hopefully will succeed on a redirect to
the same address.

Thank you very much for going through the trouble of pointing out the
appropriate link.

> Looking back at your original post, it looks like the only reason you're
> doing an LDAP lookup in the first place is to verify that the address is
> valid;


Yes, that is true -- however, the particular lookups we've been discussing
are for nonlocal domains. Actually, my becoming a backup MX for these
nonlocal domains is what prompted all of this work. I am planning on
entering in the recipient address list from the other domains that I am
relaying for, and thus only accepting email to addresses that the remote
email server will accept.
I'm aware that one typical method for dealing with this is recipient
callout verification + caching, but as discussed earlier on the list here,
this is not entirely fitting for backup MX purposes, or at least has some
issues associated with it. I'm also aware that this method poses issues
concerning keeping in sync with any email address changes, but that has been
deemed acceptable and the address list for these domains is relatively
static, so this does not pose a problem.

> you should replace that entire statement in your RCPT ACL with a
> simple
>
> accept
> domains=+local_domains

-> domains = example.net
> verify=recipient
>
> to delegate all address verification to your routers, where that logic
> belongs.


Yep -- got it.

Marc, thanks a lot. Now I have to go document this so that I don't forget
it. ;-)

    - Chris


--

Chris Knadle
Chris.Knadle@???