Re: [exim] Conditional Address Verification in ACLs

Top Page
Delete this message
Reply to this message
Author: Toby Bryans
Date:  
To: exim-users
Subject: Re: [exim] Conditional Address Verification in ACLs
On Tue, Sep 08, 2009 at 10:54:00pm +0200, MarkdV wrote:
> Toby Bryans wrote:
> > Hi,
>
> Just wondering if sleeping on it helped? :) And reading your entire
> message now...


A little - with yours and Phil's advice I'm experimenting right now with
a possible solution. The main problem is that I'm trying to make it as
flexible as possible. There's an easy solution but it requires manual
intervention everytime someone adds a new forwarding domain on the
exchange server which defeats the point for me.

> > I've set up a relaying server for all our exchange sourced outgoing
> > mail scanning for viruses and spam. One of the reasons we did this was
>
> So this is basically a smarthost for your exchange box? And users submit
> to the exchange box, not to the exim host?


Yes. I can't really discuss the causes here but suffice to say we have a
requirement that only valid email addresses in our AD can send mail
outbound...

> > because we also wanted to lock down users that could send mail out via
> > our servers to only those that are in Active Directory.
>
> Uhrm.. "lock down users that can send to..", or "lock down users,
> restricting them, so they can only send to..."?


... but once implemented we discovered that (obviously) forwarded users
wouldn't work as they forwarded mails are sent from non-AD email
addresses, so I need to add a check so that if an email is sent from a
non-AD address but is sent to a valid forwarded address is accepted.

The major use of forwarded mails are so that mails are sent both to the
exchange mail store and on to user's blackberry accounts as we don't
support blackberry email natively here.

> > I set up a verification only router as follows:
> >
> > # This router checks the users sending outbound are valid in the AD
> > sender_vfry_ad:
> > driver = accept
> > verify_only = true
> > verify_recipient = false
> > verify_sender = true
> > condition = ${if !eq {${lookup ldap {LDAP_AD_MAIL_FROM}}} {}}
> >
> > with the following LDAP query:
> >
> > LDAP_AD_MAIL_FROM = \
> >   user=LDAP_AD_BINDDN \
> >   pass=LDAP_AD_PASS \
> >   ldap:///LDAP_AD_BASE_DN\
> >   ?mail?sub?\
> >   (&\
> >     (|\
> >       (objectClass=user)\
> >       (objectClass=publicFolder)\
> >       (objectClass=group)\
> >     )\
> >     (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
> >   )

> >
> > And put require sender = verify in the acl_smtp_rcpt.
> >
> > Which all worked fine...
>
> It did? The accept router has a single condition that succeeds or fails
> depending on whether the _recipient_ (${local_part}@${domain}) is in AD?
> If you're using this for _sender_ verification, where is the sender in
> all this?


Yes. It works. My understanding is at the point where you do verify =
sender localpart and domain are the sender email address and my tests
have born that out, ie I can send mail from a valid address with that
router acting as sender verification and I can't from a non-valid
address.

Am I missing something obvious? You've got me concerned now as what you
say makes sense; I'll have to test it all again in case I missed
something!

> And why an accept router just to check the condition when you could just
> use the condition directly in the acl?


Now, that's something that I have been sleeping on having now read the
acl documentation a lot more closely :).

> I can't really get my head around what it is that you are actually
> trying to do here... :/


Thank you very much! I'm currently having a go at solving it myself
(that way I'll learn the most) with the hints that I have been given by
you and Phil and I'll mail back with the solution if it works, if not
I'm sure I'll have more questions.

Many thanks again and I hope I have answered your questions!

--
Toby