Re: [exim] Conditional Address Verification in ACLs

Top Page
Delete this message
Reply to this message
Author: Toby Bryans
Date:  
To: exim-users
Subject: Re: [exim] Conditional Address Verification in ACLs
On Fri, Sep 11, 2009 at 08:42:53pm +0200, MarkdV wrote:
> OK, I just tried too.... And you are mostly right. But they are not
> available in the acl_smtp_mail ACL. I tried by putting this in it:


Yes :). I too discovered this when I moved the LDAP sender check query
into an ACL and not in a router.

> In hindsight it's _so_ obvious and logical. Guess I was stuck
> thinking about 'acls', not realizing that it does make sense for
> routers in this case. Sorry, if I caused confusion. :/


Not at all!

> Sill think the part of the documentation I quoted is at the very
> least misleading. Callouts are not required, and $local_part and
> $domain can be used in more places then those listed...


Definitely.

> Good, hope I helped more then confuse you more. :)


Both you and Phil helped put me on the right track.

Here's what I have done:

* Set the sender LDAP query so that it uses $sender_address

* Got rid of all address verification routers

* Added the following ACLs:

# This access list is called at MAIL FROM: time. It checks that the
# address of the sender of the email being processed exists in the LDAP
# store. If it doesn't it sets acl_m_senderfail to true for further
# processing in acl_check_rcpt.

acl_check_mail:
  warn  condition = ${if eq {${lookup ldap {LDAP_AD_MAIL_FROM}}} {}}
        set acl_m_senderfail = true


accept

# This access list is called from acl_check_rcpt. If acl_m_senderfail is
# set to true (see acl_check_mail for why that might happen) and if the
# rcpt address currently being processed does not exist in the LDAP
# directory as a targetAddress of a contact (which is how you set up
# forwarding in Exchange) it will set acl_m_rcptfail to true for further
# processing.

acl_check_isfwd:
  warn  condition = ${if and {\
                                { eq {$acl_m_senderfail}{true} }\
                                { eq {${lookup ldap {LDAP_AD_MAIL_TO_FORWARDS}}} {}}\
                     }       }
        set acl_m_rcptfail = true


accept

* in acl_check_rcpt I added the following:

# If acl_m_senderfail is true (ie the MAIL FROM address is not in the
# LDAP store) AND acl_m_rcptfail is true (ie the rcpt address does not
# exist in the LDAP store for forwarding) then deny the email.
  deny message = Sender does not exist and $local_part@$domain is not a valid forward.
       acl = acl_check_isfwd
       condition = ${if and { { eq {$acl_m_senderfail} {true} }\
                              { eq {$acl_m_rcptfail} {true} }\
                            }\
                    }\


* Removed verify = sender

* Kept verify = recepient for DNS lookup verification.

Deceptively simple :).

A big thanks to Mark and Phil for putting me on the path to solve
this one. The two things that were needed were:

* Nested ACLs

* Doing address verifiction in ACLs as conditions nd not relying on the
verify statement and routers.

Phil, you suggested that I think carefully about multiple recipients.
I'm trying to think of a situation where this will cause problems but
given that all emails should come from a valid address OR be forwarded
on to a valid forward address I don't think there will be a situation
where a valid forward and a non valid forward external address will
exist in one email without a valid sender address.

Is this worth putting on the wiki?

--
Toby