Re: [exim] Block/reject outgoing mail from some domain

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: tony ha
CC: exim-users@exim.org
Subject: Re: [exim] Block/reject outgoing mail from some domain
On Wed, May 22, 2013 at 9:39 PM, tony ha <tonyha1090@???> wrote:
>
> I want to block three domain (spam1.com, spam2.com, spam3.com) send
> outgoing mail. I have configured exim.conf :
> ################# Block domain #######################
> reject_domains:
> driver = redirect

<snip>
> ####################### End block #####################
>
> Everything work fine, but domain spam1.com, spam2.com, spam3.com can't
> receive mail . I just want to reject/block outgoing mail but not
> reject/block incoming mail.


You are using a router to determine when to block an outbound email.
That's an inefficient way to do it and it's also IMHO a bad way to do
it. Instead, reject it during SMTP time at the appropriate ACL.
Somewhere very early in your MAIL acl (where a mail server determines
if the MAIL FROM is a valid sender for your system), you probably only
need to add this:

deny   message = SMTP Auth email blocked from $domain
          domains = +exim_blacklist
          authenticated = *


That will block email submitted by users from one of those three
domains if the connection is made with SMTP Auth (which is what you
seemed to describe in your original request).

Note that this will not block the case where:
1. User authenticates with username@??? and...
2. Sends email with From: header username@??? (which is what all
MUA's will show).

If you want to also block emails where the From: header may also
contain those domains, then you need to add to the DATA ACL something
to catch and detect it. The following is untested:

deny    message = Spammer forged From header
           set acl_m_hdrfrom =
${domain:${extract{1}{:}{${addresses:$header_From:}}}}
           condition = ${if
match_domain{$acl_m_hdrfrom}{+exim_blacklist}{yes}{no}}
           # maybe this too if only for smtp authenticated senders:
           # authenticated = *


Note that the ${addresses:...} method that I posted above will have an
issue if the local_part of the email address actually has a colon in
it, because the ${extract...} function looks for email addresses
separated by a colon and picks the first one.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine