On 2016-08-03, Jason <silo82@???> wrote:
> Hi,
> Is it possible for Exim to verify outgoing mail when using a smarthost?
> Specifically, I'm looking to have Exim verify (using dnslookup) that the
> domain exists for the recipient. If the domain returns NXDOMAIN (or some
> other DNS error), defer it, if DNS exists, continue with the routing. I
> tried the following:
>
> # Verify the recipient domain exists in DNS before sending to the relay.
> verify_address:
> debug_print = "R: verify_address for $domain"
> driver = dnslookup
> domains = ! +local_domains
> verify_only
>
> smarthost:
> debug_print = "R: smarthost for $local_part@$domain"
> driver = manualroute
> domains = ! +local_domains
> transport = remote_smtp_smarthost
> route_list = * DCsmarthost byname
> host_find_failed = defer
> same_domain_copy_routing = yes
> no_verify
> no_more
>
> And it seems to work during testing:
if you want it to actually block acceptance of emails you'll need
"verify=recipient" in the SMTP_RCPT ACL
defer:
!verify=recipient
of if you want to treat NXDOMAIN as a permanent error
require
verify=recipient
> However, when sending a test message to an NXDOMAIN, exim happily forwards
> it to the smarthost:
>
> 2016-08-03 08:07:28 1bUvtQ-0007bm-Vh <= root@somehost U=root P=local S=486 T="test"
for "P=local" recipient verification is not documented :( are you
trying to control local processes (and shell accounts etc.) or SMTP
users?
> 2016-08-03 08:07:29 1bUvtQ-0007bm-Vh =>
> someone@??? R=smarthost T=remote_smtp_smarthost
> S=505 H=ses-smtp-prod-335357831.us-east-1.elb.amazonaws.com[50.19.94.229]
> X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
> DN="C=US,ST=Washington,L=Seattle,O=Amazon.com\, Inc.,CN=
> email-smtp.us-east-1.amazonaws.com"
> 2016-08-03 08:07:29 1bUvtQ-0007bm-Vh Completed
> Is it possible for Exim to do outbound verification while using a
> smarthost?
Verification is best done at inbound SMTP time. but yes that should be
possible
> If so, what am I missing?
Make a normal NSLOOKUP router, but in the associated SMTP transport
override the route data to send via the smarthost...
you'll probably want all of RFC1918 in ignore_target_hosts.
have the next router fail with a forced permanent error or a forced defer.
(use a rewrite router)
--
This email has not been checked by half-arsed antivirus software