On 2011, Jun 11, at 17:00 , Nigel Metheringham wrote:
>
> On 11 Jun 2011, at 10:18, exim@??? wrote:
>> Behaviour we are pursuing with Exim, only for a particular domain:
>>
>> Among all the domains that are served regularly, a given domain, and only that domain, needs to follow an internal messaging system policy, i.e.:
>>
>> - No emails can be sent to, nor received from, any other domains, hosted on the same server or elsewhere.
>> - Emails regarding that domain are accepted only if sent to, or received from, that particular domain itself.
>
> Personally for a 2 zone setup like this I would consider running 2 separate instances of exim on different IP addresses and with separate configuration and queues.
>
> However, in either a combined or a split out instances configuration, the way you probably want to do this is by making the routers conditional rather than applying additional filters, so
>
> # router for restricted domain - this domain can only send or be sent
> # to itself
> restricted_domain:
> driver = accept
> domains = restricted.doma.in
> senders = *@restricted.doma.in
> transport = local_restricted_delivery
>
> # router for other domains
> other_domains:
> driver = accept
> domains = doma1.in : doma2.in # but not restricted.doma.in
> senders = ! *@restricted.doma.in
> transport = local_normal_delivery
>
> and use the same conditions on the general send-elsewhere router
>
> Nigel.
> --
> [ Nigel Metheringham ------------------------------ nigel@??? ]
> [ Ellipsis Intangible Technologies ]
>
>
Thank you so much for the quick and thorough reply, and for the others' as well.
It took me some time to test your advice, and almost everything works. I wanted to try everything I could before coming back to this list.
To be more precise about the environment for the Exim installation in question: it is a managed server, and we rely on our hosting company's support for most of sysadmin tasks. That said, configuring Exim is up tp us, but we would be unable to run 2 separate instances of exim on different IP addresses, because our hosting company would not support such configuration.
> However, in either a combined or a split out instances configuration, the way you probably want to do this is by making the routers conditional rather than applying additional filters, so
>
> # router for restricted domain - this domain can only send or be sent
> # to itself
> restricted_domain:
> driver = accept
> domains = restricted.doma.in
> senders = *@restricted.doma.in
> transport = local_restricted_delivery
>
> # router for other domains
> other_domains:
> driver = accept
> domains = doma1.in : doma2.in # but not restricted.doma.in
> senders = ! *@restricted.doma.in
> transport = local_normal_delivery
>
> and use the same conditions on the general send-elsewhere router
I am out of my depth in Exim configuration. Please bear with me if I say silly or blatantly stupid things for a seasoned Exim administrator.
I could not understand what do you mean with "and use the same conditions on the general send-elsewhere router"?
I did add the suggested conditional routers, with the proper domains settings.
But I was unable to send email from the unrestricted domains.
I think the problem lies my lack of understanding of your last sentence.
I still tried just adding the first part of the suggested code, to the Routers Configuration section, while keeping the original code:
<code>
# router for restricted domain - this domain can only send or be sent to itself
restricted_domain:
driver = accept
domains = restricted.doma.in
senders = *@restricted.doma.in
transport = local_restricted_delivery
check_outgoing:
driver = redirect
domains = ! +local_domains
senders = ! : ! lsearch;/etc/permitsend
allow_fail
data = :fail: you are not allowed to send outside
<\code>
This, together with the additional filters almost works, i.e. the restricted domain cannot receive or send emails to other domains, both on and off server.
The problem, though, is that it cannot send emails to even to itself.
Sending a message from test1@??? to test2@??? has exim write the following:
tail -f /var/log/exim_mainlog
<code>
2011-06-14 09:18:16 H=localhost (mail.server.net) [127.0.0.1] Warning: Sender rate 0.0 / 1h
2011-06-14 09:18:16 1QWTVY-0008ME-IA <= test1@??? H=localhost (mail.server.net) [127.0.0.1] P=esmtpa A=dovecot_login:test1@??? S=563 id=38be66efc9f322f109154a7f18f5ff5f@??? T="test2@???"
2011-06-14 09:18:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1QWTVY-0008ME-IA
2011-06-14 09:18:16 1QWTVY-0008ME-IA == test2@??? R=restricted_domain defer (-30): transport "local_restricted_delivery" not found in restricted_domain router
</code>
Obviously the transport "local_restricted_delivery" is missing, but I have no idea of how such transport section looks like in the exim config file, nor in which part of that file to put it.
I would be so grateful if you could add the last pieces for a working solution.
I would rather do without the /etc/permitsend part, since it feels a little task intensive. We are going to have about 2000 accounts on that Exim installation, and for each email sent, Exim would have to check the sender against that file.
Wouldn't that be inefficient?
Thank you once again, so much,
Priyadarshan
