Re: [exim] BATV and sender verification - non-local_domainss…

Top Page
Delete this message
Reply to this message
Author: Dave Evans
Date:  
To: exim-users
Subject: Re: [exim] BATV and sender verification - non-local_domainssituation
On Mon, Dec 17, 2007 at 10:29:35AM +0300, Odhiambo Washington wrote:
> I'd very much love to see the relevant parts of your config if they
> are significantly different than those on the url I am referring to,
> or if they apply to a situation like mine.


Fair enough. Of course, you'll have to adjust some of the addresslist bits
below.

Step 1: Pick a secret:

PRVS_SECRET=some-secret-goes-here

Step 2: Decode any incoming prvs addresses (there won't be any yet, because
you're not signing your outgoing mail; but you want this to be in place by the
time you /do/ start signing, in step 3).

addresslist prvs_check_signed = *@+our_domains

begin routers

  # prvs redirect
  prvs:
      condition = ${if match_address{$local_part@$domain}{+prvs_check_signed}}
      driver = redirect
      allow_fail
      data = ${prvscheck {$local_part@$domain}{PRVS_SECRET}\
          {${if eq{$prvscheck_result}{1} {$prvscheck_address}{:fail:Unrouteable address}}}\
      }


Step 3: Sign outgoing mail:

addresslist prvs_sign_outgoing = *@+our_domains

begin transports

  remote_smtp:
      driver = smtp
      return_path = ${if match_address{$return_path}{+prvs_sign_outgoing} \
          {${prvs {$return_path} {PRVS_SECRET}}}\
          fail\
      }


Step 4: Deny bounces to non-signed addresses:

addresslist prvs_require_signed = *@+our_domains

acl_check_predata:

      # Deny if it's a bounce to a bad address
      # This is so that callouts here work, but bogus bounces are rejected
      deny
          senders = :
          # !acl = acl_prvs_exceptions - you might want some exceptions to apply...
          condition = ${if !eq {${prvscheck {$recipients}{PRVS_SECRET}{$prvscheck_result}}}{1}}
          condition = ${if match_address{$recipients}{+prvs_require_signed}}
          message = Bounces to $recipients are rejected - this address does not send mail


Step 5: Deny outsiders claiming to be me:

(in acl_check_mail):

      # Deny outsiders claiming to be me, without PRVS
      deny
          # !acl = acl_prvs_exceptions - you might want some exceptions to apply...
          senders = +prvs_require_signed
          condition = ${if !eq {${prvscheck {$sender_address}{PRVS_SECRET}{$prvscheck_result}}}{1}}
          message = This address does not send mail


And that's it. Take it slowly, in order. In particular, leave a gap of
a good couple of weeks between steps 3 and 4.

I read the other day someone saying that prvs had problems with casefulness.
They might be right - I only send with lower case local parts, and don't have a
caseful configuration, and it works for me.

Of course if anyone spots anything hideously wrong with the above... :-)

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey