Quoting Phil Pennock <exim-users@???>:
> On 2009-10-23 at 22:28 +0000, d.hill@??? wrote:
>> On a test server I have set up, I'm attempting to reject senders where
>> the sender domain has an MX record pointing to an internal (or
>> reserved) IP address. Reading the Exim documentation, this is what
>> I've come up with:
>>
> [ snip complicated ACL rules ]
>>
>> /usr/local/etc/exim/reserved_ip_space has a list of IP address ranges
>> in CIDR format of all the internal (or reserved) IP space.
>>
>> It is working as expected. I am just curious if there is an alternate
>> or reduced way of performing the same results.
>
> Yes. You don't route messages to those addresses. Then the "verify =
> sender" in your ACL (somewhere), will fail and the message will be
> rejected. The sender verify by default stops as soon as it has a method
> of delivery which goes off-host, so you need a DNS lookup which lets the
> dnslookup be used.
>
> If you do not use a smarthost, then something like:
>
> dnslookup:
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp
> ignore_target_hosts = +bad_host_addresses
>
> where +bad_host_addresses is a hostlist; you might define it in the main
> config as:
> hostlist bad_host_addresses = /usr/local/etc/exim/reserved_ip_space
>
> If you do use a smarthost, then you probably want to use "no_verify" on
> the smarthost and then have a dnslookup Router, like the one above, but
> with "verify_only" set on it.
Thanks. I see my complex ACL rule can be replaced by a simple router
that would reject when the 'verify = sender' is used.
