Re: [exim] Conditional Address Verification in ACLs

Top Page
Delete this message
Reply to this message
Author: MarkdV
Date:  
To: exim users
Subject: Re: [exim] Conditional Address Verification in ACLs
Toby Bryans wrote:
> Hi,


Just wondering if sleeping on it helped? :) And reading your entire
message now...

> I've set up a relaying server for all our exchange sourced outgoing
> mail scanning for viruses and spam. One of the reasons we did this was


So this is basically a smarthost for your exchange box? And users submit
to the exchange box, not to the exim host?

> because we also wanted to lock down users that could send mail out via
> our servers to only those that are in Active Directory.


Uhrm.. "lock down users that can send to..", or "lock down users,
restricting them, so they can only send to..."?

> I set up a verification only router as follows:
>
> # This router checks the users sending outbound are valid in the AD
> sender_vfry_ad:
> driver = accept
> verify_only = true
> verify_recipient = false
> verify_sender = true
> condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_FROM}}} {}}
>
> with the following LDAP query:
>
> LDAP_AD_MAIL_FROM = \
>   user=LDAP_AD_BINDDN \
>   pass=LDAP_AD_PASS \
>   ldap:///LDAP_AD_BASE_DN\
>   ?mail?sub?\
>   (&\
>     (|\
>       (objectClass=user)\
>       (objectClass=publicFolder)\
>       (objectClass=group)\
>     )\
>     (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
>   )

>
> And put require sender = verify in the acl_smtp_rcpt.
>
> Which all worked fine...


It did? The accept router has a single condition that succeeds or fails
depending on whether the _recipient_ (${local_part}@${domain}) is in AD?
If you're using this for _sender_ verification, where is the sender in
all this?

And why an accept router just to check the condition when you could just
use the condition directly in the acl?

I can't really get my head around what it is that you are actually
trying to do here... :/

Cheers,
Mark.

> ...until we realised that we had some users that forwarded their mail
> out to their blackberries at email accounts offsite, so I created an
> LDAP query that gives me the email address back if the rcpt address is a
> forward address in the AD:
>
> LDAP_AD_MAIL_TO_FORWARDS = \
>   user=LDAP_AD_BINDDN \
>   pass=LDAP_AD_PASS \
>   ldap:///LDAP_AD_BASE_DN\
>   ?mail?sub?\
>   (&\
>    (objectClass=user)\
>    (targetAddress=SMTP:${quote_ldap:${local_part}@${domain}})\
>   )

>
> And created the following router:
>
> recepient_vfry_ad:
> driver = accept
> verify_only = true
> verify_recipient = true
> verify_sender = false
> condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_TO_FORWARDS}}} {}}
>
> However, now I'm stuck. I can't work out how to say:
>
> require verify sender or verify recepient in an acl.
>
> Does anyone have any idea how I can implement this? Is it even sensible?
>