On Fri, Sep 11, 2009 at 08:42:53pm +0200, MarkdV wrote:
> OK, I just tried too.... And you are mostly right. But they are not
> available in the acl_smtp_mail ACL. I tried by putting this in it:
Yes :). I too discovered this when I moved the LDAP sender check query
into an ACL and not in a router.
> In hindsight it's _so_ obvious and logical. Guess I was stuck
> thinking about 'acls', not realizing that it does make sense for
> routers in this case. Sorry, if I caused confusion. :/
Not at all!
> Sill think the part of the documentation I quoted is at the very
> least misleading. Callouts are not required, and $local_part and
> $domain can be used in more places then those listed...
Definitely.
> Good, hope I helped more then confuse you more. :)
Both you and Phil helped put me on the right track.
Here's what I have done:
* Set the sender LDAP query so that it uses $sender_address
* Got rid of all address verification routers
* Added the following ACLs:
# This access list is called at MAIL FROM: time. It checks that the
# address of the sender of the email being processed exists in the LDAP
# store. If it doesn't it sets acl_m_senderfail to true for further
# processing in acl_check_rcpt.
acl_check_mail:
warn condition = ${if eq {${lookup ldap {LDAP_AD_MAIL_FROM}}} {}}
set acl_m_senderfail = true
accept
# This access list is called from acl_check_rcpt. If acl_m_senderfail is
# set to true (see acl_check_mail for why that might happen) and if the
# rcpt address currently being processed does not exist in the LDAP
# directory as a targetAddress of a contact (which is how you set up
# forwarding in Exchange) it will set acl_m_rcptfail to true for further
# processing.
acl_check_isfwd:
warn condition = ${if and {\
{ eq {$acl_m_senderfail}{true} }\
{ eq {${lookup ldap {LDAP_AD_MAIL_TO_FORWARDS}}} {}}\
} }
set acl_m_rcptfail = true
accept
* in acl_check_rcpt I added the following:
# If acl_m_senderfail is true (ie the MAIL FROM address is not in the
# LDAP store) AND acl_m_rcptfail is true (ie the rcpt address does not
# exist in the LDAP store for forwarding) then deny the email.
deny message = Sender does not exist and $local_part@$domain is not a valid forward.
acl = acl_check_isfwd
condition = ${if and { { eq {$acl_m_senderfail} {true} }\
{ eq {$acl_m_rcptfail} {true} }\
}\
}\
* Removed verify = sender
* Kept verify = recepient for DNS lookup verification.
Deceptively simple :).
A big thanks to Mark and Phil for putting me on the path to solve
this one. The two things that were needed were:
* Nested ACLs
* Doing address verifiction in ACLs as conditions nd not relying on the
verify statement and routers.
Phil, you suggested that I think carefully about multiple recipients.
I'm trying to think of a situation where this will cause problems but
given that all emails should come from a valid address OR be forwarded
on to a valid forward address I don't think there will be a situation
where a valid forward and a non valid forward external address will
exist in one email without a valid sender address.
Is this worth putting on the wiki?
--
Toby
