Re: [exim] BATV configuration

Top Page
Delete this message
Reply to this message
Author: David Saez Padros
Date:  
CC: exim-users
Subject: Re: [exim] BATV configuration
Hi

this configuration will make people using callouts reject your messages,
if you want to avoid this you should use batv checks at pre_data

> After working on configuring Exim for BATV for a while and running into some
> problems, I wanted to pass on my configuration that got me working. Some of
> the information out there is a little out of date and it may help someone
> else to have a whole list of changes necessary.
>
> I'm somewhat of Exim newcomer so some things may be wrong - corrections or
> comments are welcome; most of this I have cobbled together from multiple
> sources on the web.
>
> This setup is for the newer/newest draft of BATV where the format of the 
> address is: prvs=kdddhhhhhh=LOCAL_PART@DOMAIN
> This means that comments in the documentation about this stanza 
>   deny    message       = Restricted characters in address
>               domains       = +local_domains
>               local_parts   = ^[.] : ^.*[@%!/|]
> are no longer valid since BATV now uses '=' instead of '/'.

>
> Note, one addition that I may make in the future is to add a check for the
> number of recipients - real bounces go to only one destination. For automated
> messages to multiple recipients with a null MAIL FROM, my configuration
> below would block these; so a line with something like this: " !condition =
> ${if >{$rcpt_count}{1}}" would have to be added to the deny BATV unsigned
> bounces paragraph.
>
>
> # Main section
> ...
> BATVKEY = something
> ...
>
>
>
> # ACLs
> acl_check_rcpt:
>    ...
>   ## I put the BATV ACL at the end
>   # check that BATV signature is valid
>   deny    message       = invalid or expired BATV signature 
>           # Match null sender messages (DSN)
>           senders       = : 
>           control       = caseful_local_part 
>           condition     = ${prvscheck {$local_part@$domain}{BATVKEY}{1}} 
>           !condition    = $prvscheck_result 
>           control       = caselower_local_part 

>
>   # deny BATV unsigned bounces
>   deny    message       = bounce is not BATV signed  
>           senders       = : 
>           condition     = ${if !match{$local_part}{^prvs=}}

>
>
>
> # Routers
> begin routers
> ## put the BATV routers at the top
> # I believe this so that outbound(non-local) mail is BATV signed
> dnslookup_batv:
> driver = dnslookup
> condition = ${if match_domain{$sender_address_domain}{+local_domains}}
> domains = ! +local_domains
> transport = external_smtp_batv
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>
> # I believe this so the recipient address would be decoded
> batv_redirect:
> driver = redirect
> data = ${prvscheck {$local_part@$domain}{BATVKEY}}
> ...
>
>
>
> # Transports
> begin transports
> ...
> # (believe that the placement of the transport stanza does not matter)
> external_smtp_batv:
> driver = smtp
> return_path = ${prvs {$return_path}{BATVKEY}}
> ...
>


--
Best regards ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------