Re: [exim] Help with a custom ACL

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Mike Sprague
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Help with a custom ACL
Server Craft wrote:
> Hi,
>
> I was directed here by cPanel support after searching pretty much everywhere
> for a solution to this problem. I am looking for help with a custom ACL for
> restricting incoming mail traffic to specific domains to only come from
> specific IP ranges.
>
> Background:
> I run a small web hosting service based on cPanel VPS servers. Some of my
> clients use hosted spam filtering services such as MXLogic or Postini. To
> make mails to those domains only come from their filtering servers, I am
> asked to specify IP ranges of the Postini and MXLogic filtering servers in
> my email server or VPS firewall so that spammers cannot contact the
> mailservers of the domains hosted on my VPS directly and thus bypass the
> filtering service.
>
> But, the problem with filtering through my firewall is two-fold:
>
> 1. If I restrict mail traffic on Port 25 to come only from certain IP
> ranges, it applies to ALL email coming into the server. Thus it would lock
> down inbound email independent of domain. Not all the clients on my VPS opt
> for such filtering, so this method is unviable.
>
> 2. My VPS servers only have a software firewall (CSF) and it's does not
> accept host names, only IP addresses.
>
> So, it seems the solution is through a custom ACL for those domains using
> hosted spam filtering services. Is there an individual or company that can
> provide consulting on this requirement?


What about something like:

deny
  message     = only accept messages from certain servers
  domains     = LIST of DOMAINS or a database or a file
  hosts       = ! LIST of IPs or a database or a file


Basically, you have a list of domains that use each 3rd party filtering
service. You have a corresponding list of the IPs used by that 3rd
party filtering service. Deny if the recipient is on a 3rd party
service but the incoming IP is not in the IP list for that 3rd party
service.

The list could be in a flat file or a database or if it's short enough,
you could just put it in the exim config. How you store the list would
determine how you query it in the ACL.

BTW, you would put these ACLs in the acl_smtp_rcpt section.

thanks,
mikeS

--
Michael F. Sprague
mfs@???