> Fair enough. Can't you put the "deny hosts = !+relay_hosts" after these
> checks?
I'm afraid this wouldn't help as the message would have already been
accepted by "accept domains = +local_domains". (The problem is spammers
connect and set both the sender and recipient addresses to be in a local
domain).
I think the solution may be to remove rules rather than add them. Currently
the ACL is:
accept hosts = :
require verify = sender
accept domains = +local_domains
endpass
message = "The recipient cannot be verified. Please check all recipients
of this message to verify they are valid."
verify = recipient
accept domains = +relay_domains
warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts
warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}
accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
authenticated = *
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
I propose removing some of the earlier checks giving:
accept hosts = :
require verify = sender
accept hosts = +relay_hosts
warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}
accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
authenticated = *
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication
turned on in your email client.
This should allow the relay hosts before needing to do the POP-before-SMTP
check.
Testing this however, is proving troublesome. I've saved exim.conf with the
above and am testing with exim -bh <IP-address>. Despite giving an IP
address that is listed in /etc/relayhosts (and so in +relay_hosts), the
output says "host in "+relay_hosts"? no (end of list)".
Any ideas, especially with it failing under exim -bh?
> A more radical solution which may be overkill for your situation but is
> good in the general case is to use something like Tony Finch's fantastic
> "personalities" idea:
>
> http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-exi
mconf/paper.html#3.%20Multiple%20personalities
This is indeed interesting but, I feel, over the top for my setup.
--
PS: Tim, thanks for producing
http://www.webcamsinnorway.com/. I used the
site extensively before my trip there in 2004!
