[exim] Exim ACL to allow message with condition

Top Page
Delete this message
Reply to this message
Author: Sebastian Berm
Date:  
To: exim-users
Subject: [exim] Exim ACL to allow message with condition
Hi,

First of all, thank you for reading this message.


Some time ago, I had a lot of problems with bounces being received,
because the From field was forged by spammers.
I did this by following
http://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txt.

However, as this message states, it's not a very good solution, some
problems are being caused by it.
I was wondering, I now have this:

<do some RBL stuff>

# default at end of acl causes a "deny", but line below will give
# an explicit error message:
  deny    message = relay not permitted


# ACL that is used after the DATA command
check_message:
  deny  senders = :
        condition = ${if ! eq{$recipients_count}{1}{1}}
        message = Bounces must have only a single recipient



  deny  senders = :
        ! condition = ${if match \
        {$message_body $message_body_end} \


{[xX]-bounce-key:\\s*BOUNCE_ID;${rxquote:${lc:$recipients}};(\\d+);(\\w+)} \
        {${if eq {$2} \
        {${length_8:${md5:BOUNCE_ID;${lc:$recipients};$1;BOUNCE_SECRET}}} \
        {${if <{${sg{${eval:$tod_epoch-$1}}{-}{}}}{864000}{1}}}}}}
        message = Bounce does not contain a valid X-bounce-key signature 
so not accepting message


accept



But what I want to try now, is creating compatibility for the widly used
'Disposition' header, so all messages with this tag (or
'Disposition-Notification-To' tag) should be accepted before the
bounce-key is checked (which is created by using the headers_add on
remote_smtp time).
But my knowledge of the ACL system isn't very more than just being able
to read most of it.

Could something like this work?


# ACL that is used after the DATA command
check_message:
  deny  senders = :
        condition = ${if ! eq{$recipients_count}{1}{1}}
        message = Bounces must have only a single recipient



  accept  senders = :
        regex = [dD]isposition.*:


  deny  senders = :
        ! condition = ${if match \
        {$message_body $message_body_end} \


{[xX]-bounce-key:\\s*BOUNCE_ID;${rxquote:${lc:$recipients}};(\\d+);(\\w+)} \
        {${if eq {$2} \
        {${length_8:${md5:BOUNCE_ID;${lc:$recipients};$1;BOUNCE_SECRET}}} \
        {${if <{${sg{${eval:$tod_epoch-$1}}{-}{}}}{864000}{1}}}}}}
        message = Bounce does not contain a valid X-bounce-key signature 
so not accepting message


accept


That way I accept messages, which aren't yet processed by the bounce-key
check, which sometimes won't contain the bounce key, but will most
likely have Disposition somewhere in the message (header or body).
But if this would work, all messages with the word disposition with a
':' after it, will just be accepted, so I also want to add a condition;
the bounce-key should *not* exist. That way messages without an bounce
key, but with disposition will be accepted, and other messages will just
be checked by the standard bounce-key checker.
Am I on the right track here?
If not, could anyone perhaps kick me to the right track?


--
Regards,
Sebastian Berm