Hello,
After having looked on the web and on this list's archive for similar cases, and not having found a solution, I am writing this hoping for some help or indication on how to create the following behaviour with Exim.
Test case environment:
A server with Exim as MTA, serving different domains (in our case, the server is running CentOS 5.6; I am not sure if this is important or not)
Behaviour we are pursuing with Exim, only for a particular domain:
Among all the domains that are served regularly, a given domain, and only that domain, needs to follow an internal messaging system policy, i.e.:
- No emails can be sent to, nor received from, any other domains, hosted on the same server or elsewhere.
- Emails regarding that domain are accepted only if sent to, or received from, that particular domain itself.
In other words:
For a given test domain, mydomain.com, and only for messages related to that domain:
1) if any Recipient does not contain "mydomain.com", Fail with message "rejected"
2) if From does not contain "mydomain.com", Fail with message "rejected"
This is what I tried:
I created the following Exim filter, /etc/vfilters/mydomain.com:
<code>
# Exim filter
if not first_delivery and error_message then finish endif
#Recipients-are-not-mydomain.com
if
foranyaddress $h_to:,$h_cc:,$h_bcc: ( $thisaddress does not contain "mydomain.com" )
then
fail "Message rejected."
endif
#From-is-not-mydomain.com
if
$header_from: does not contain "mydomain.com"
then
fail "Message rejected."
endif
</code>
Unfortunately, the filter does not work as expected.
Emails sent from other domains (on of off the server) are indeed rejected with the message.
But when an email is sent from test1@??? to an address to another domain (on or off the server), that email is regularly delivered, and not failed, as the intended behaviour and the filter would ask to do.
This is the related content of /var/log/exim_mainlog whne trying to send to another domain: (test@??? is in place of the real address I used)
<code>
> tail -f /var/log/exim_mainlog
2011-06-08 13:48:09 H=localhost (208.86.00.00) [127.0.0.1] Warning: Sender rate 2.6 / 1h
2011-06-08 13:48:09 1QUMrR-00016N-Na <= test1@??? H=localhost (208.86.00.00) [127.0.0.1] P=esmtpa A=dovecot_login:test1@??? S=544 id=9a4a702d8b4a79d72c5be92b7756b457@??? T="test"
2011-06-08 13:48:09 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1QUMrR-00016N-Na
2011-06-08 13:49:42 1QUMrR-00016N-Na => test@??? R=lookuphost T=remote_smtp H=mail.server.org [208.116.00.00] X=TLSv1:DES-CBC3-SHA:168
2011-06-08 13:49:42 1QUMrR-00016N-Na Completed
</code>
Unfortunately, it seems that this is a limitation in Exim for outgoing messages, which is why the only way we could find so far upon investigating at the Exim site was to use the global router method (thanks to Tristan for this suggestion).
<code>
check_outgoing:
driver = redirect
domains = ! +local_domains
senders = ! : ! lsearch;/etc/permitsend
allow_fail
data = :fail: you are not allowed to send outside
</ code>
<code>
touch /etc/permitsend
echo "admin@???" >> /etc/permitsend
</ code>
This would add admin@??? to /etc/permitsend file and let that one account send to anyone. All other email accounts on every domain on the machine would be restricted to only send locally.
The problem is, using a global router would only allow permitted senders to send emails from the machine and anyone else would only be able to send locally.
But, unfortunately, that includes all the domains served from the same server, not respecting the intended behaviour.
Basically, using the global router method, everything works as it should, but allowed senders can send to other domains on the same machine as well, thus invalidating that rule we need to enforce.
To summarize the requested behaviour:
a given domain needs to be used only with an internal messaging system policy: no emails can be sent to, nor received from, any other domains, hosted on the same server or elsewhere. Emails regarding that domain are accepted only if sent to, or received from, that particular domain itself.
I would be very grateful if anyone could suggest a working solution.
Thank you in advance,
Priyadarshan
