Re: [exim] Conditional Address Verification in ACLs

Góra strony
Delete this message
Reply to this message
Autor: MarkdV
Data:  
Dla: Toby Bryans
CC: exim users
Temat: Re: [exim] Conditional Address Verification in ACLs
Toby Bryans wrote:
> Hi,
>
> I've set up a relaying server for all our exchange sourced outgoing
> mail scanning for viruses and spam. One of the reasons we did this was
> because we also wanted to lock down users that could send mail out via
> our servers to only those that are in Active Directory.
>
> I set up a verification only router as follows:
>
> # This router checks the users sending outbound are valid in the AD
> sender_vfry_ad:
> driver = accept
> verify_only = true
> verify_recipient = false
> verify_sender = true
> condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_FROM}}} {}}
>
> with the following LDAP query:
>
> LDAP_AD_MAIL_FROM = \
>   user=LDAP_AD_BINDDN \
>   pass=LDAP_AD_PASS \
>   ldap:///LDAP_AD_BASE_DN\
>   ?mail?sub?\
>   (&\
>     (|\
>       (objectClass=user)\
>       (objectClass=publicFolder)\
>       (objectClass=group)\
>     )\
>     (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
>   )

>
> And put require sender = verify in the acl_smtp_rcpt.
>
> Which all worked fine...
>
> ...until we realised that we had some users that forwarded their mail
> out to their blackberries at email accounts offsite, so I created an
> LDAP query that gives me the email address back if the rcpt address is a
> forward address in the AD:
>
> LDAP_AD_MAIL_TO_FORWARDS = \
>   user=LDAP_AD_BINDDN \
>   pass=LDAP_AD_PASS \
>   ldap:///LDAP_AD_BASE_DN\
>   ?mail?sub?\
>   (&\
>    (objectClass=user)\
>    (targetAddress=SMTP:${quote_ldap:${local_part}@${domain}})\
>   )

>
> And created the following router:
>
> recepient_vfry_ad:
> driver = accept
> verify_only = true
> verify_recipient = true
> verify_sender = false
> condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_TO_FORWARDS}}} {}}


To be honest I hardly read anything above this point... But without
regard to any of the above your question seems easy enough to answer.

> However, now I'm stuck. I can't work out how to say:
>
> require verify sender or verify recepient in an acl.


IMHO it is generally better to think in terms of "and", because acl
statements combine the result of individual conditions using "and" to
get a final true or false. (Require does a final negation of the result
before acting.)

In terms of "and" what you want can be expressed as; "deny if (both)
sender _and_ recipient verification fails". To make verification failure
a true condition we just negate the condition and we get:

deny
! verify = sender
! verify = recipient

HTH,
Mark.