Re: [exim] Conditional Address Verification in ACLs

Top Page
Delete this message
Reply to this message
Author: MarkdV
Date:  
To: toby-exim
CC: exim-users
Subject: Re: [exim] Conditional Address Verification in ACLs

Toby Bryans wrote:
> On Wed, Sep 09, 2009 at 10:11:51pm +0200, MarkdV wrote:
>> Toby Bryans wrote:
>>> On Tue, Sep 08, 2009 at 10:54:00pm +0200, MarkdV wrote:
>>>> Toby Bryans wrote:
>>> Yes. It works. My understanding is at the point where you do verify =
>>> sender localpart and domain are the sender email address and my tests
>>> have born that out, ie I can send mail from a valid address with that
>> >
>>> router acting as sender verification and I can't from a non-valid
>>> address.
>>>
>>> Am I missing something obvious? You've got me concerned now as what you
>>> say makes sense; I'll have to test it all again in case I missed
>>> something!
>> Maybe, then again maybe I am. You've got me second guessing now... :)
>>
>> So I'm going through the documentation with a find comb and I have found
>> one small piece of info that might, maybe, suggest I'm a little bit
>> wrong on this one. It's in Chapter 11. in de documentation for
>> "$domain", where is says:
>>
>> "$domain is not normally set during the running of the MAIL ACL.
>> However, if the sender address is verified with a callout during the
>> MAIL ACL, the sender domain is placed in $domain during the expansions
>> of hosts, interface, and port in the smtp transport."
>
> It also appears that $local_part gets set in the MAIL ACL. As an example
> with exim -bvs toby-exim@???:
>
> 14:13:59 4043 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> 14:13:59 4043 Verifying toby-exim@???
> 14:13:59 4043 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> 14:13:59 4043 Considering toby-exim@???
> 14:13:59 4043 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> 14:13:59 4043 routing toby-exim@???
> 14:13:59 4043 --------> sender_vfry_ad router <--------
> 14:13:59 4043 local_part=toby-exim domain=bryans.org
>
> ... and I can confirm that this works with testing and that the
> local_part and domain are both set at the mail acl even though I am not
> doing call outs.


OK, I just tried too.... And you are mostly right. But they are not
available in the acl_smtp_mail ACL. I tried by putting this in it:

   warn
     logwrite        = local_part: $local_part
     logwrite        = domain: $domain


And the logging confirms that both are empty.

But they _are_ indeed set for a router when called because of a "verify
= sender". Which makes perfect sense (more below).

> However, I am 99% sure that this won't work when I have to move (as I
> may well haev to do) the sender verification into the RCPT ACL so thank
> you for bringing that to my attention, I believe I can use
> $sender_address in this case anyway.


Actually I don't think it will matter. For routers $local_part and
$domain are "local variables" initialized from the address that the
router is asked to route. They are not actually the same variables that
are available in the acl_smtp_rcpt acl, they just have the same name.

In hindsight it's _so_ obvious and logical. Guess I was stuck thinking
about 'acls', not realizing that it does make sense for routers in this
case. Sorry, if I caused confusion. :/

Sill think the part of the documentation I quoted is at the very least
misleading. Callouts are not required, and $local_part and $domain can
be used in more places then those listed...

>> I hope you figure out a solution that works for you.
>
> I think I'm on the way!


Good, hope I helped more then confuse you more. :)

Cheers,
Mark.