Autor: Exim List Datum: To: Mike Barnard CC: exim-users Betreff: Re: [exim] how do I block mail to local domains except SMTP auth or
trusted source?
Mike Barnard wrote:
>> I need a solution which will stop all mail to the host mail.domain.comEXCEPT for (a) the trusted spam filter host and (b) anyone who authenticates
>> against the domain using SMTP AUTH. They should be allowed to relay through
>> their SMTP server or send mail to other users on the domain.
>>
>>
>
>
> as mentioned above, sending emails is not your problem here, receiving spam
> is, unless your servers are open relays.
>
>
Yes, sending (or receiving) e-mails *is* the problem. I do not want
Exim to receive mail directly for mail.domain.com except from (a) the
trusted MX server already in place and (b) clients of mail.domain.com
who, of necessity, will need to relay through the mail server in order
to send mail out to the Internet.
Since (b) can come from anywhere, that is where allowing only SMTP auth
comes in. > 1 -- Look at {white,black,grey}listing.
> I don't want to white/black/grey list. I want to disallow period except
for (a) and (b). > 2 -- You may need to run Spam Assassin or its equivalent on your
> mail.domain.com servers to capture the spam that is not going through your
> spam filtering devices.
> Same response here. > 3 -- You can also add headers to the emails passing through your spam
> filtering devices and pass them exclusively through your mail server with no
> further checks.
> 4 -- You may also pass all emails whose session has been authenticated with
> no further checks.
>
> That's fine as long as I can stop the other SMTP cold at the door. > The other option, if your spam filtering devices permit it, is to point all
> mx records to these filtering devices and have the filtering devices forward
> the sessions to the respective mail.domain.com server. This is a long short
> but it may work.
> Uh, the MX for domain.com -is- the filtering device. Spammers don't
care what an MX is if they can directly connect to the mail server the
e-mail eventually gets to.
Someone (Dave Lugo) wrote yesterday a concrete example which I have not
had time to test yet due to a UPS battery issue taking my time. I hope
to try it soon.