Re: [exim] Force valid sender domain from php

Top Page
Delete this message
Reply to this message
Author: Renaud Allard
Date:  
To: Will Harrison, exim users
Subject: Re: [exim] Force valid sender domain from php
I would do something like that in data ACL:

deny
condition = ${if match
{$header_from}{\N(domain1|domain2|domain3)\N}{no}{yes}}


Will Harrison wrote:
> Sorry - the regexp in data ACL. I think the other method may be more
> easily bypassed.
>
> Do you know if there are any examples of the regexp method as I am no
> exim expert.
>
>>>
>>>
>>> Renaud Allard wrote:
>>>> It will check the actual sender, the one in the "MAIL FROM:" SMTP
>>>> negotiation. This is the "return-path".
>>>>
>>>> Of course, if your php scripts send everything as "www@localhost" (php
>>>> mail() function I think) this won't be a good solution. So you should
>>>> use a php function which speaks SMTP and force php devs to use it.
>>>>
>>>> If you require that this happens with the "From:" header, you will have
>>>> to use a regexp in the data acl.
>>>>
>>>> Will Harrison wrote:
>>>>> Thank you Renaud
>>>>>
>>>>> Will this actually check the "From:" header or just the actual sender?
>>>>>
>>>>> Thanks again
>>>>>
>>>>> Will
>>>>>
>>>>> Renaud Allard wrote:
>>>>>> Of course, with something like that it should work:
>>>>>>
>>>>>> acl_check_rcpt:
>>>>>>
>>>>>>         accept
>>>>>>         hosts           = :
>>>>>>         endpass
>>>>>>         message         = Sending mails from
>>>>>> $sender_address_domain is
>>>>>> not permitted
>>>>>>         sender_domains  = +local_domains

>>>>>>
>>>>>>         accept
>>>>>>         authenticated   = *
>>>>>>         endpass
>>>>>>         message         = Sending mails from
>>>>>> $sender_address_domain is
>>>>>> not permitted
>>>>>>         sender_domains  = +local_domains

>>>>>>
>>>>>>
>>>>>> Will Harrison wrote:
>>>>>>> Can we restrict mails sent from the local host to only be allowed to
>>>>>>> have their sender/from address be from a valid domain in
>>>>>>> /etc/localdomains?
>>>>>>>
>>>>>>> If a php script is used by a spammer he will usually set the from
>>>>>>> address to something other than the real domain e.g.
>>>>>>> accounts@???. As paypal.com in not listed in localdomains can
>>>>>>> we reject it?
>>>>>>>
>>>>>>> I hope I am making sence. Thanks in advance.
>>>>>>>
>>>>>>> Will
>>>>>>>
>>>
>>
>