Re: [exim] Sending mail through "proxy based" content filter

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Chris Siebenmann
Fecha:  
A: Sebastian Nielsen
Cc: exim-users, cks
Asunto: Re: [exim] Sending mail through "proxy based" content filter
> How I accomplish sending mail through a "Proxy based" content filter?
> I have only found configuration examples on how to route remote mail
> to a "smarthost", but ALL mail should be routed through the Proxy
> provided the mail is acceptable (either acceptable for relaying, or
> acceptable for local delivery)
>
> What I want to do, is to have a mail host, where all mail, regardless
> of if they are local-local, local-remote or remote-local, should be
> delivered to 127.0.0.1:10025 Before that, any SPF or DKIM should be
> verified, since the Proxy modifies mail, and any DKIM signatures will
> get bougus of that.


In general, you will want multiple routers. Very early on, perhaps
as your first router, set one that forces all email that didn't arrive
over the special return port off to the proxy, which will look something
like this.

    pmx_smarthost:
      debug_print = "R: pmx_smarthost for $local_part@$domain"
      cannot_route_message = Unknown user
      condition = ${if !eq{$received_port}{10026}}
      driver = manualroute
      route_list = * PMX_PROXY_IP
      transport = remote_pmx_smtp


Then a transport for it:
    remote_pmx_smtp:
      debug_print = "T: remote_pmx_smtp for $local_part@$domain"
      driver = smtp
      port = 10025


HOWEVER, this router design is incomplete as I've presented it,
because you'll need to take steps to somehow stop being an open
relay. In general you're going to need a collection of conditions on
$received_port so you can tell external email (which you should not
relay) from email that comes back from the proxy and email that was
generated on the machine (or from localhost).

(In general you're going to end up treating your routers as a little
programming language that is mostly 'if's.)

For SPF and DKIM verification, you'll want to make the ACL statement(s)
that do this be conditional on $received_port being 25 and perhaps on
the source IP not being localhost.

    - cks