OK - thanks to Phil's kind advice, I have:
================================
begin routers
dnslookup:
# usual stuff
system_aliases:
driver = redirect
allow_fail
allow_defer
condition = ${if exists{/etc/exim4/domains/$domain/aliases}}
data = ${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/aliases}}
domains = +local_domains
user = mail
group = mail
file_transport = address_file
pipe_transport = address_pipe
wildcard_user_blacklist:
driver = redirect
domains = +local_domains
local_part_suffix = +*
check_local_user
verify_only
allow_fail
require_files = $home/.mailblacklist-$domain
condition =
${lookup{${local_part}${local_part_suffix}}lsearch{$home/.mailblacklist-$domain}
{yes}{no}}
data = :fail: Recipient blocked by user
wildcard:
driver = redirect
domains = +local_domains
local_part_suffix = +*
local_part_suffix_optional
condition = ${if def:local_part_suffix}
data = $local_part@$domain
userforward:
#usual stuff
localuser:
# usual stuff
================================
That works well - means that for emails of the form
<localusername>+<blah>@<somedomain>
the recipent addresses can be blocked by the user in
$HOME/.mailblacklist-<somedomain>
Couple of notes:
1) I have a multi domain setup anyway
2) I decided to go for "+" as a separator as it is more usual for this
application
3) The ordering of the routers and lack of check_local_user on the
wildcard router allow a system alias to also support a "+" form too -
useful for grocery shopping online when me+SWMBO use an alias so we both
get emails - eg boss+ocado@??? where
[boss me,her] is in the alias file
3a) However (and it is logical) a "+" form on an alias cannot be blocked
with the user level blacklist.
So I also have a global blacklist done in the RCPT acl:
==================================
check_recipient:
deny local_parts = ^.*[@%!/|] : ^\\.
deny domains = +local_domains
condition = ${if exists{/etc/exim4/domains/$domain/blacklist}}
condition =
${lookup{${local_part}}lsearch{/etc/exim4/domains/$domain/blacklist}{true}{false}}
logwrite = Recipient address $local_part@$domain blocked by \
global blacklist /etc/exim4/domains/$domain/blacklist
message = Recipient globally blocked
accept hosts = :
accept local_parts = postmaster
domains = +local_domains
accept domains = +local_domains
endpass
message = Unknown recipient
verify = recipient
accept hosts = +relay_from_hosts
require verify = sender
accept authenticated = *
condition = ${if eq{$tls_cipher}{}{0}{1}}
# reject all remaining (non-authenticated or non-TLS) port 587
deny message = authentication required for 587 connections
condition = ${if eq{$interface_port}{587}{1}{0}}
deny message = authentication required from off-site
==================================
That seems to work pretty well and both the local and system wide
blacklists reject at SMTP time which is exactly what I wanted (helps
kill off the ratware with less chances of bad bounces to innocents).
Cheers,
Tim
--
Tim Watts
Personal Blog:
http://www.dionic.net/tim/
