Toby Bryans wrote:
> Hi,
Just wondering if sleeping on it helped? :) And reading your entire
message now...
> I've set up a relaying server for all our exchange sourced outgoing
> mail scanning for viruses and spam. One of the reasons we did this was
So this is basically a smarthost for your exchange box? And users submit
to the exchange box, not to the exim host?
> because we also wanted to lock down users that could send mail out via
> our servers to only those that are in Active Directory.
Uhrm.. "lock down users that can send to..", or "lock down users,
restricting them, so they can only send to..."?
> I set up a verification only router as follows:
>
> # This router checks the users sending outbound are valid in the AD
> sender_vfry_ad:
> driver = accept
> verify_only = true
> verify_recipient = false
> verify_sender = true
> condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_FROM}}} {}}
>
> with the following LDAP query:
>
> LDAP_AD_MAIL_FROM = \
> user=LDAP_AD_BINDDN \
> pass=LDAP_AD_PASS \
> ldap:///LDAP_AD_BASE_DN\
> ?mail?sub?\
> (&\
> (|\
> (objectClass=user)\
> (objectClass=publicFolder)\
> (objectClass=group)\
> )\
> (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
> )
>
> And put require sender = verify in the acl_smtp_rcpt.
>
> Which all worked fine...
It did? The accept router has a single condition that succeeds or fails
depending on whether the _recipient_ (${local_part}@${domain}) is in AD?
If you're using this for _sender_ verification, where is the sender in
all this?
And why an accept router just to check the condition when you could just
use the condition directly in the acl?
I can't really get my head around what it is that you are actually
trying to do here... :/
Cheers,
Mark.
> ...until we realised that we had some users that forwarded their mail
> out to their blackberries at email accounts offsite, so I created an
> LDAP query that gives me the email address back if the rcpt address is a
> forward address in the AD:
>
> LDAP_AD_MAIL_TO_FORWARDS = \
> user=LDAP_AD_BINDDN \
> pass=LDAP_AD_PASS \
> ldap:///LDAP_AD_BASE_DN\
> ?mail?sub?\
> (&\
> (objectClass=user)\
> (targetAddress=SMTP:${quote_ldap:${local_part}@${domain}})\
> )
>
> And created the following router:
>
> recepient_vfry_ad:
> driver = accept
> verify_only = true
> verify_recipient = true
> verify_sender = false
> condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_TO_FORWARDS}}} {}}
>
> However, now I'm stuck. I can't work out how to say:
>
> require verify sender or verify recepient in an acl.
>
> Does anyone have any idea how I can implement this? Is it even sensible?
>