Re: [exim] Exim as transparent Rewrite Gateway

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Exim as transparent Rewrite Gateway
Hi Dennis,

Be warned: header rewriting may be like opening pandoras box, especially
if the messages you massage are already DKIM signed.

Dennis Weber <dennis.weber@???> (Sa 22 Apr 2017 23:01:26 CEST):
> Hi Community,
>
> I am currently working on a project for a transparent Rewrite Gateway which shall mask two independent Exchange Organizations behind a third domain. First I tried to solve this task by using a Postfix server, but Postfix was not able to rewrite the "From" and "To" the way the gateway is a completely independent black box, because incoming mail got a rewritten "To" field, but the mail was still delivered with the new domain suffix of which the internal mail server don't know anything from.


Header rewriting doesn't imply any impact to the routing, as the
headers are not relevant for SMTP mail routing. I'm not sure, if you
need any other component of Postfix to change the mailrouting, not only
the headers. I'm not a Postfix expert at all…


> Till now I was not able to solve my issues with Postfix and I hope, that Exim will be a better choice for my project. Can you tell me if it is possible to solve my issues with Exim to create a real rewrite gateway? If it is not possible, do you have some more information for me on why it can't be done?
>
> My Gateway shall:
>
> * Relay domains @internal1.com and @internal2.com to extern as @newcorp.com


Yes, it's possible.
You can rewrite any address header and even the SMTP MAIL FROM (return path). This can be
done by simple replacement logic, by lookups (flat files, database,
directory service), by using the optionally embedded Perl interpreter or
by external programs.

> * Rewrite incoming mails from @newcorp.com to @internal1.com or @internal2.com


It's first a matter of routing (redirect) and then, if you really need
to, a matter of header rewrting. Same options as above..

> * Transport mails to both internal organizations


I do not see the challenge here.

> * Exclude S/MIME encrypted and/or signed mails from rewriting


Why? Signatures/Encryption (S/MIME, PGP/MIME) shouldn't care about
rewritten headers. DKIM does. But, anyway, if it comes to header
rewriting, it *should* be possible to do it conditionally on detected
Content-Type headers (not sure here, because I do not now the exact
processing stage where the header rewriting takes place. If the DATA ACL
is run before rewrting takes place, you can make rewriting conditional
on the content of the message headers)

> * Besides regular mail the gateway also needs to rewrite meeting requests and other types of mails coming from and to an exchange server


This reads like content modification. In theory it's possible via
transport filters (or even in the DATA ACL (while this isn't officially
supported, as the ACL are designed for *evaluating*, not for message mangling).

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -