Re: [exim] ACLs and forward computation of final local_part …

Top Pagina
Delete this message
Reply to this message
Auteur: Tim Watts
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] ACLs and forward computation of final local_part after redirects
OK - thanks to Phil's kind advice, I have:

================================
begin routers

dnslookup:
    # usual stuff


system_aliases:
    driver = redirect
    allow_fail
    allow_defer
    condition = ${if exists{/etc/exim4/domains/$domain/aliases}}
    data = ${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/aliases}}
    domains = +local_domains
    user = mail
    group = mail
    file_transport = address_file
    pipe_transport = address_pipe


wildcard_user_blacklist:
    driver = redirect
    domains = +local_domains
    local_part_suffix = +*
    check_local_user
    verify_only
    allow_fail
    require_files = $home/.mailblacklist-$domain
    condition = 
${lookup{${local_part}${local_part_suffix}}lsearch{$home/.mailblacklist-$domain} 
{yes}{no}}
    data = :fail: Recipient blocked by user


wildcard:
    driver = redirect
    domains = +local_domains
    local_part_suffix = +*
    local_part_suffix_optional
    condition =  ${if def:local_part_suffix}
    data = $local_part@$domain


userforward:
    #usual stuff


localuser:
    # usual stuff
================================


That works well - means that for emails of the form
<localusername>+<blah>@<somedomain>

the recipent addresses can be blocked by the user in
$HOME/.mailblacklist-<somedomain>

Couple of notes:

1) I have a multi domain setup anyway
2) I decided to go for "+" as a separator as it is more usual for this
application
3) The ordering of the routers and lack of check_local_user on the
wildcard router allow a system alias to also support a "+" form too -
useful for grocery shopping online when me+SWMBO use an alias so we both
get emails - eg boss+ocado@??? where
[boss me,her] is in the alias file
3a) However (and it is logical) a "+" form on an alias cannot be blocked
with the user level blacklist.

So I also have a global blacklist done in the RCPT acl:

==================================
check_recipient:

deny     local_parts = ^.*[@%!/|] : ^\\.


deny domains = +local_domains
   condition = ${if exists{/etc/exim4/domains/$domain/blacklist}}
   condition = 
${lookup{${local_part}}lsearch{/etc/exim4/domains/$domain/blacklist}{true}{false}}
   logwrite = Recipient address $local_part@$domain blocked by \
     global blacklist /etc/exim4/domains/$domain/blacklist
   message = Recipient globally blocked


accept hosts = :

accept local_parts = postmaster
        domains = +local_domains


accept domains = +local_domains
        endpass
        message = Unknown recipient
        verify = recipient

    
accept hosts = +relay_from_hosts

require verify = sender

accept authenticated = *
        condition = ${if eq{$tls_cipher}{}{0}{1}}


# reject all remaining (non-authenticated or non-TLS) port 587
deny message = authentication required for 587 connections
      condition = ${if eq{$interface_port}{587}{1}{0}}


deny message = authentication required from off-site

==================================

That seems to work pretty well and both the local and system wide
blacklists reject at SMTP time which is exactly what I wanted (helps
kill off the ratware with less chances of bad bounces to innocents).

Cheers,

Tim

--
Tim Watts
Personal Blog: http://www.dionic.net/tim/