Re: [exim] Rejecting MX Internal IP Addresses

Góra strony
Delete this message
Reply to this message
Autor: d.hill
Data:  
Dla: exim-users
Temat: Re: [exim] Rejecting MX Internal IP Addresses
Quoting Phil Pennock <exim-users@???>:

> On 2009-10-23 at 22:28 +0000, d.hill@??? wrote:
>> On a test server I have set up, I'm attempting to reject senders where
>> the sender domain has an MX record pointing to an internal (or
>> reserved) IP address. Reading the Exim documentation, this is what
>> I've come up with:
>>
> [ snip complicated ACL rules ]
>>
>> /usr/local/etc/exim/reserved_ip_space has a list of IP address ranges
>> in CIDR format of all the internal (or reserved) IP space.
>>
>> It is working as expected. I am just curious if there is an alternate
>> or reduced way of performing the same results.
>
> Yes. You don't route messages to those addresses. Then the "verify =
> sender" in your ACL (somewhere), will fail and the message will be
> rejected. The sender verify by default stops as soon as it has a method
> of delivery which goes off-host, so you need a DNS lookup which lets the
> dnslookup be used.
>
> If you do not use a smarthost, then something like:
>
> dnslookup:
>   driver        = dnslookup
>   domains       = ! +local_domains
>   transport     = remote_smtp
>   ignore_target_hosts = +bad_host_addresses

>
> where +bad_host_addresses is a hostlist; you might define it in the main
> config as:
> hostlist bad_host_addresses = /usr/local/etc/exim/reserved_ip_space
>
> If you do use a smarthost, then you probably want to use "no_verify" on
> the smarthost and then have a dnslookup Router, like the one above, but
> with "verify_only" set on it.


Thanks. I see my complex ACL rule can be replaced by a simple router
that would reject when the 'verify = sender' is used.