Re: [exim] Smarthost route and ACL Question

Top Page
Delete this message
Reply to this message
Author: Mike Brudenell
Date:  
To: Sebastien.Boulianne
CC: Exim Users
Subject: Re: [exim] Smarthost route and ACL Question
Hi, Sebastien -

You've not told us what domains are in the named lists, which makes it
difficult to diagnose. However my hunch is that in the second router the
problem might be you're using

domains = +relay_to_domains


which selects this router when the recipient's domain appears in your
*relay_to_domains* named list. I suspect you might mean

hosts = +relay_from_hosts


instead? (You say you want to allow relaying from hosts named in
relay_from_hosts but then don't use that named list in your router!) The
above will select this router when the IP address of the system connecting
to your server is listed in the *relay_from_hosts* list and seems to match
what you describe as trying to achieve.

By the way, if you're looking to reject messages not matching your criteria
I'd personally be doing this with ACLs rather than routers. To me ACLs
control *whether* to accept or reject a message, and routers *how* to route
them and to where after you've decided to accept them. (Although of course
routers can reject messages if need be but must do so explicitly.)

For example your first router won't reject messages arriving for "@domain.ca"
recipient addresses other than <operateurs@???> and <backup@???>
but merely decline to handle them, passing them on to later routers. If
none of them handle the message you'll get the rather poor generic "failed
to route message" (sic) rejection response.

I'd probably look at something like this (untested!) fragment in the rcpt
ACL:

# Accept mail originating from internal client systems to any recipient
anywhere.
# (This includes to any local part for domains listed in relay_to_domains.)
accept hosts       = +relay_from_hosts


# Accept mail from anywhere if it's to "operateurs" or "backups" in any of
the domains we relay onward to.
accept local_parts = operateurs : backup
       domains     = +relay_to_domains


# Reject messages from anywhere to any other recipient in any of the
domains we relay onward to.
deny   message     = Invalid recipient mailbox
       domains     = +relay_to_domains


*Caution:* The above ACLs would need testing and looking at in the context
of your other ACLs to sort out their ordering and positioning. Make sure
you don't open your service up to unauthorised relaying, especially from
external clients!

Your routers can then concentrate on the routing of the delivery and
selecting the transport.

Finally, if this domain is one that sends email out remember you should
also accept mail to the "postmaster" and "abuse" addresses as well so that
someone can monitor them.

Cheers,
Mike B-)

On 17 February 2016 at 20:47, <Sebastien.Boulianne@???> wrote:

> Hi all,
>
>
> 1.    I want to allow emails from external to internal with a dest
> operateurs@???<mailto:operateurs@domain.ca> and backup@???
> <mailto:backup@domain.ca> ONLY.

>
> 2.    I want to allow host listed in relay_from_hosts to use this server
> to relay any emails internaly or externaly.

>
> My smarthost routes : http://pastebin.com/kaMZWDaA
>
> The first smarthost route work perfectly.
>
> The second work perfectly too but it allows anyone to use this relay host
> if he sends an email with anyuser@???<mailto:anyuser@domain.ca> as
> destination adress.
> Anyone can give me a clue how tobuild a good acl for that ?
>
> Thanks you very much for your answer and your time.
>
> Sébastien
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/





--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm