Re: [exim] Limiting incoming connections on a per-domain bas…

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Limiting incoming connections on a per-domain basis
Odhiambo G. Washington wrote:

> * On 21/09/06 14:33 -0400, Steve Sobol wrote:
> |
> | Exim 4.50, CentOS Linux 4.something
> |
> | I have a mail server that handles a small number of domains, around 20
> | total. Five of those domains are spam-filtered through an external service
> | and mail to those domains should ONLY be delivered through that company's
> | SMTP servers. But I can't just tell exim to stop accepting mail sent
> | directly to it, because that will break a bunch of other domains that
> | AREN'T filtered, for which exim SHOULD accept mail directly.
> |
> | How do I tell Exim to only accept messages handed off from a particular
> | block of IPs, but *only* for certain domains?
>
> You could do this in acl_smtp_rcpt. Something like (off the top of my
> head):
>
> 1. Define the hosts (IPs)
>    hostlist  allowed_hosts = 1.2.3.4 : 3.4.5.6/30 : a.b.c.d/NN

>
> 2. Define those domains you want to accept mail for as a domainlist.
>
>    domainlist those_domains = blah

>
>
> Now, at an early stage in acl_smtp_rcpt:
>
>    deny  condition  = ${if match_domain {${domain:$h_to:}}{+those_domains}}
>          !hosts     = +allowed_hosts

>
>
> I am not sure how this will deal with cases where recipient is in the CC
> or BCC though.
>


"PUNG" applies.....

"Probably, Usually, Normally, Generally".

A correspondent MTA will not know prior to starting delivery runs that
<domain1>.<tld> and <domain2>.<tld> are hosted on the same virtual server IP, so
will run separate deliveries for the 'To:', 'CC:', Bcc:' not on the same domains.

If QMAIL is involved, ISTR that it will try to make multiple, parallel
connections - one for for each message - anyway, so that one should be no
problem. (well... Qmail might be (mis)taken for a Zombie on a dark night...)

'Prefixes' of course, might throw a spanner into the works....

But the OP's situation - where the entire <domain>.<tld> is to get the same
treatment, should be amenable to any of several methods.

Bill