Greetings -
I'd say you want to add one or more ACLs to *acl_smtp_rcpt* to check the
sending host's IP address (held in *$sender_host_address*) and the domain
of the recipient address.
Whilst you could include the data for these within your Exim configuration
file you might benefit from abstracting them into external files or a
database. For example, depending how you want to arrange and abstract
things, you could:
1. Have one text file that maps IP addresses and/or netblocks to group
names:
1.1.1.1 Group1
1.1.1.2 Group1
1.1.1.3 Group1
1.2.0.0/24 Group1
2.2.2.1 Group2
2.2.2.2 Group2
2.2.2.3 Group2
…etc…
2. Have another text file that uses the group names as the key and lists
the recipient domain names they're allowed to send to:
Group1 domain1 : domain1a : domain1b
Group2 domain2 : domain2a : domain2b
Group3 *
3. Create an ACL and…
1. Use a *hosts* ACL condition with an *iplsearch* to look through the
first file for the IP address of the host transmitting to you
and gets its
group id (the value of the entry found) stored in the *$host_data*
variable. (You'll need to decide what action to take if the IP address
isn't found: deny all mail? allow mail to anywhere?)
2. Use a *domains* ACL condition with an *lsearch* to look up the
group id in the second file to check if the recipient domain is permitted
for that group id. (You'll need to decide what to do if the
group id isn't
found in the second file: deny all mail? allow mail to anywhere? You'll
also need to make sure that the "*" or whatever you use to signify "OK to
email any domain" works.)
Perhaps something like this *untested* (and probably syntactically wrong!)
ACL (that probably won't do what you want anyway) that might get you
started:
deny hosts = iplsearch;/etc/exim4/ips-to-group-names
! domains = ${lookup {$host_data} lsearch
{/etc/exim4/groups-can-send-to}}
With my luck today it's probably wrong but might at least give you a
seed-thought to play with. I was trying for an ACL that would *deny* the
recipient address of the incoming message…
- if the IP address of the host transmitting it to you *is* in the first
"ips-to-group-names" file, *and*
- the domain of the recipient address is *not* listed as a valid
recipient domain for the list of domains that group id can send to (as
listed in the second "groups-can-send-to" file).
Specifically:
- The *hosts* condition uses *iplsearch* to look up the IP address of
the sending host within the "ips-to-group-names" file.
- If it *fails* to find the IP address the *hosts* condition *fails* so
the *deny* will *not* be executed for this recipient and testing will
pass on to any later ACLs;
- If it *does* find the IP address in the file then the *hosts* condition
*succeeds* and the next condition is tested. As a side-effect Exim
places the data from the line (your group id for this IP
address) into the
*$host_data* variable, which we'll use in the next condition…
- The next condition is *domains* and looks up the domain of this
recipient's address within a domain list.
- The domain list is found by using *lookup* with an *lsearch* to look
for the value of *$host_data* (which contains the group id for the
sending host's IP address you looked up a moment ago) in the
"groups-can-send-to" file. So make sure this file has proper
colon-separated lists of domains as the value of its entries!
- If domain of the recipient's address is *not* found the overall
condition *succeeds* (because it's negated) so the *deny* verb *will*
operate and *reject* this recipient;
- If domain of the recipient's address *is* found (meaning this group
id is allowed to send to it) then because of the negation the overall
condition *fails* so the *deny* verb *doesn't* operate and the
recipient address is *not* rejected.
You'll need to check what happens if the domain list has the value "*" (as
for "Group3" in my example above), which after expansion would make the
line become
! domains = *
I'm pretty sure that "*" will match any domain name, so the negated form
will *fail* and mean the *deny* verb *doesn't* operate so the recipient
address *wouldn't* be rejected by it … which I htink is what you want.
Don't you just love double negatives?! :-)
Alternatively you could use a single file that uses IP addresses/netblocks
as the keys and the domain list of domains that IP can send to as the
value. This would eliminate the need for two searches and the group ids, at
the expense of you repeating the list of domains allowed for each line.
You can read more about:
- ACLs and their conditions in chapter 43 of the Exim specification
<
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html>
- File and Database Lookups in chapter 9 of the Exim specification
<
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html>
Cheers,
Mike B-)
On 19 June 2016 at 23:13, 3YSTech Services <3ystechservices@???>
wrote:
> Hi ,
>
> I have need to restrict some IPs to send to pre-defined set of domains. I
> have 2 sets of IPs with 2 corresponding sets of domains, the 3rd group is
> allowed to send to any domains.
>
> How to achieve that..I have put sample of IP and Domain list files.
>
> The relay authorized IPs are listed on file one IP per line.
>
> Group1
> 1.1.1.1
> 1.1.1.2
> 1.1.1.3
>
> Group1 Domains
>
> domain1
> domain1a
> domain1b
>
> Group2
> 2.2.2.1
> 2.2.2.2
> 2.2.2.3
>
> Group2 Domains
> domain2
> domain2a
> domain2b
>
>
> Group3
> 3.3.3.1
> 3.3.3.2
> 3.3.3.3
>
> Group3 Domains
>
> Any domain
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811
Web:
www.york.ac.uk/it-services
Disclaimer:
www.york.ac.uk/docs/disclaimer/email.htm
