Re: [exim] Routing to specific domains

Góra strony
Delete this message
Reply to this message
Autor: Mike Brudenell
Data:  
Dla: Exim Users
Temat: Re: [exim] Routing to specific domains
Greetings -

I'd say you want to add one or more ACLs to *acl_smtp_rcpt* to check the
sending host's IP address (held in *$sender_host_address*) and the domain
of the recipient address.

Whilst you could include the data for these within your Exim configuration
file you might benefit from abstracting them into external files or a
database. For example, depending how you want to arrange and abstract
things, you could:

   1. Have one text file that maps IP addresses and/or netblocks to group
   names:
   1.1.1.1    Group1
   1.1.1.2    Group1
   1.1.1.3    Group1
   1.2.0.0/24    Group1
   2.2.2.1    Group2
   2.2.2.2    Group2
   2.2.2.3    Group2
   …etc…


   2. Have another text file that uses the group names as the key and lists
   the recipient domain names they're allowed to send to:
   Group1    domain1 : domain1a : domain1b
   Group2    domain2 : domain2a : domain2b
   Group3    *


3. Create an ACL and…

   1. Use a *hosts* ACL condition with an *iplsearch* to look through the
      first file for the IP address of the host transmitting to you
and gets its
      group id (the value of the entry found) stored in the *$host_data*
      variable. (You'll need to decide what action to take if the IP address
      isn't found: deny all mail? allow mail to anywhere?)


      2. Use a *domains* ACL condition with an *lsearch* to look up the
      group id in the second file to check if the recipient domain is permitted
      for that group id. (You'll need to decide what to do if the
group id isn't
      found in the second file: deny all mail? allow mail to anywhere? You'll
      also need to make sure that the "*" or whatever you use to signify "OK to
      email any domain" works.)


Perhaps something like this *untested* (and probably syntactically wrong!)
ACL (that probably won't do what you want anyway) that might get you
started:

deny hosts     = iplsearch;/etc/exim4/ips-to-group-names


     ! domains = ${lookup {$host_data} lsearch
{/etc/exim4/groups-can-send-to}}



With my luck today it's probably wrong but might at least give you a
seed-thought to play with. I was trying for an ACL that would *deny* the
recipient address of the incoming message…

- if the IP address of the host transmitting it to you *is* in the first
"ips-to-group-names" file, *and*
- the domain of the recipient address is *not* listed as a valid
recipient domain for the list of domains that group id can send to (as
listed in the second "groups-can-send-to" file).

Specifically:

- The *hosts* condition uses *iplsearch* to look up the IP address of
the sending host within the "ips-to-group-names" file.

   - If it *fails* to find the IP address the *hosts* condition *fails* so
      the *deny* will *not* be executed for this recipient and testing will
      pass on to any later ACLs;


      - If it *does* find the IP address in the file then the *hosts* condition
      *succeeds* and the next condition is tested. As a side-effect Exim
      places the data from the line (your group id for this IP
address) into the
      *$host_data* variable, which we'll use in the next condition…


      - The next condition is *domains* and looks up the domain of this
   recipient's address within a domain list.


   - The domain list is found by using *lookup* with an *lsearch* to look
      for the value of *$host_data* (which contains the group id for the
      sending host's IP address you looked up a moment ago) in the
      "groups-can-send-to" file. So make sure this file has proper
      colon-separated lists of domains as the value of its entries!


      - If domain of the recipient's address is *not* found the overall
      condition *succeeds* (because it's negated) so the *deny* verb *will*
      operate and *reject* this recipient;


      - If domain of the recipient's address *is* found (meaning this group
      id is allowed to send to it) then because of the negation the overall
      condition *fails* so the *deny* verb *doesn't* operate and the
      recipient address is *not* rejected.


You'll need to check what happens if the domain list has the value "*" (as
for "Group3" in my example above), which after expansion would make the
line become

! domains = *


I'm pretty sure that "*" will match any domain name, so the negated form
will *fail* and mean the *deny* verb *doesn't* operate so the recipient
address *wouldn't* be rejected by it … which I htink is what you want.

Don't you just love double negatives?! :-)

Alternatively you could use a single file that uses IP addresses/netblocks
as the keys and the domain list of domains that IP can send to as the
value. This would eliminate the need for two searches and the group ids, at
the expense of you repeating the list of domains allowed for each line.

You can read more about:

- ACLs and their conditions in chapter 43 of the Exim specification
<http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html>
- File and Database Lookups in chapter 9 of the Exim specification
<http://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html>

Cheers,
Mike B-)

On 19 June 2016 at 23:13, 3YSTech Services <3ystechservices@???>
wrote:

> Hi ,
>
> I have need to restrict some IPs to send to pre-defined set of domains. I
> have 2 sets of IPs with 2 corresponding sets of domains, the 3rd group is
> allowed to send to any domains.
>
> How to achieve that..I have put sample of IP and Domain list files.
>
> The relay authorized IPs are listed on file one IP per line.
>
> Group1
> 1.1.1.1
> 1.1.1.2
> 1.1.1.3
>
> Group1 Domains
>
> domain1
> domain1a
> domain1b
>
> Group2
> 2.2.2.1
> 2.2.2.2
> 2.2.2.3
>
> Group2 Domains
> domain2
> domain2a
> domain2b
>
>
> Group3
> 3.3.3.1
> 3.3.3.2
> 3.3.3.3
>
> Group3 Domains
>
> Any domain
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/





--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm