Phil Pennock wrote:
> There's more than one way to do it.
Thank you and that'll help quite a bit. I must admit I am not that
familiar with exim configurations, since I can mostly rely on debian's
configuration system.
> Option 1a: Embed the permissions policy directly in the Router which
> sends email out (whether a smarthost or a dnslookup Router)
>
> Option 1b: Embed the policy in an ACL and check the policy in the
> Router, via an intermediate variable such as $acl_c_permitoutbound.
>
> Option 2: change the RCPT ACL so that remote delivery is only permitted
> if the policy is matched; that ties the logic directly in to the point
> where this decision is made.
Below applies to options 1a and 1b?
> On the Router, one of:
> condition = ${if =={$received_port}{24}}
> condition = ${if =={$acl_c_permitoutbound}{1}}
>
> require message = relay not permitted
> domains = +local_domains : +relay_to_domains
> condition = ${if =={$received_port}{24}}
Would adding the "condition =" statement be enough to allow email to be
sent out if delivered on port 24? I understand I should ask this on the
debian exim list, but maybe someone has the answer.
Exim is configured to send to a smarthost and the below configuration
section applies:
smarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
domains = ! +local_domains
transport = remote_smtp_smarthost
route_list = * DCsmarthost byname
host_find_failed = defer
same_domain_copy_routing = yes
Apart from "condition = ${if =={$received_port}{24}}" what would I have
to add/edit here to make the above work? I assume something like:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
But I am unsure as how to incorporate it in the configuration file.
> If you want to check that the mail was received from this machine, on
> port 24, then:
>
> condition = ${if and{{=={$received_port}{24}}\
> {match_ip{$received_ip_address}{@[]}}}}
Could I substitute $received_ip_address with the actual IP, 127.0.0.1 in
this case? Of course this would not really be necessary since localhost
can't be reached from the outside. But if I wouldn't do that and the
listening port would be changed to an external there suddenly would be
an open relay.
Thank you,
Jeroen