Re: [exim] Limiting incoming connections on a per-domain bas…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Limiting incoming connections on a per-domain basis
Steve Sobol wrote:
> Exim 4.50, CentOS Linux 4.something
>
> I have a mail server that handles a small number of domains, around 20
> total. Five of those domains are spam-filtered through an external service
> and mail to those domains should ONLY be delivered through that company's
> SMTP servers. But I can't just tell exim to stop accepting mail sent
> directly to it, because that will break a bunch of other domains that
> AREN'T filtered, for which exim SHOULD accept mail directly.
>
> How do I tell Exim to only accept messages handed off from a particular
> block of IPs, but *only* for certain domains?
>
>
>

May be just my contrarian view of semantics, but I interpret that as:

"Accept mail for (most) domains from any source."

"Accept mail from (certain specific) domains ONLY from (one, or a short list of)
specific IP(s).

- In which case, others here may have better methods... but the way we do it
(not optimal, but flexible) is:

- Establish a list or DB table of the 'restricted' domains. Optionally, users
within said domains.

- Establish a list or DB table of the acceptable IP's or hostnames permitted to
send to those domains. (Optionally users within... etc.)

Match on the source-IP or hostname first, simply because it is available first,
(CONNECT smtp phase) - setting a flag in an acl_c(x) variable on match.
We use a simple string-match for this, not a callout or DNS lookup.

On entering RECPT-TO phase, copy the acl_c(x) variable to an acl_m(x) variable.

This because there can be multiple runs thru RECPT-TO for a given CONNECT, and
not all are *necessarily* destined for the same domain among the several you may
host (though, in fact, they usually WILL be so grouped with most MTA or MLM
arrivals).

Match on restricted domains in RECPT_TO phase and test against the above 'flag'
variable. IF/AS/WHEN restricted domain matches and acl_m(x) variable is NOT set
from an approved source IP, 'handle' as you wish.

Where 'handle' might be deny, or simply to apply / not apply other local acl
tests, spam filtering, divert to quarantine folder delivery ..etc.

Provision for multiple-passes through RECPT_TO per connection does not cover ALL
mixed-destination arrival possibilities - you would need to restrict each
arrival to delivery of only one message to do that. Best avoided unless there
are no other options.

With typical arrivals, this works 'well enough' for us even on the basis of;

RECPT_TO <list of users>@<target domain>.<tld>

FROM <list of senders>@<source domain>.<tld>.

As used to insure branch office & HQ staff can communicate even when using a
broken MX service... (neither Exim, nor under our control, thanx!)

HTH,

Bill