I wonder, wont no_verify on the smarthost router, perform the same
thing - eg doing verification as it "would deliver" without smarthost,
but still deliver via smarthost?
The only verification I do is to ensure the sender and receiver domain
really exists, and in case of local delivery, that the local user do
exist either as an alias or as normal user. I don't need any more.
The problem is that that if the local user does not exist, or if the
remote domain is non-existent, it should fail Before going through the
Proxy.
Verify_only would require me to repeat all routers Before the smarthost/Proxy?
Here is my current config, with the Proxy added, except the "begin
authenticators" section (that contain some sensitive info so I left it
out).
If you wonder about the sentfolder filter, its simply an unseen
delivery to Place a sent mail into the user's "Sent" folder.
exim_path = /usr/sbin/exim4
domainlist local_domains =
sebbe.eu:[185.86.107.140]:[46.227.69.210]:[2001:470:dff1:1:10::1]:[2001:470:dff1:1:10::2]:dns1.sebbe.eu:dns2.sebbe.eu
hostlist relay_from_hosts = 192.168.0.0/16
auth_advertise_hosts = 192.168.0.0/16
system_filter = /etc/exim4/sentfolder.filter
system_filter_file_transport = sentfolder
qualify_domain = sebbe.eu
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_dkim = acl_check_dkim
allow_domain_literals
host_lookup = *
rfc1413_query_timeout = 0s
prdr_enable = true
local_from_check = false
local_sender_retain = true
untrusted_set_sender = *
ignore_bounce_errors_after = 2d
spool_directory = /var/spool/exim4
smtp_active_hostname =
${lookup{$received_ip_address\_$received_port}lsearch{/etc/exim4/servers}{$value}}
smtp_accept_max_nonmail_hosts = :
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
add_environment = <; PATH=/bin:/usr/bin
tls_require_ciphers = SECURE128:-VERS-SSL3.0
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
tls_ocsp_file = /etc/exim4/exim.ocsp
tls_on_connect_ports = 465 : 466
log_selector = +smtp_protocol_error +smtp_syntax_error
+tls_certificate_verified +tls_peerdn
acl_check_dkim:
accept
dkim_status = fail
add_header = X-DKIM-Signature: fail
(address=$sender_address domain=$dkim_cur_signer), signature is bad.
accept
dkim_status = invalid
add_header = X-DKIM-Signature: invalid
($dkim_verify_status); $dkim_verify_reason
accept
dkim_status = pass
add_header = X-DKIM-Signature: pass
(address=$sender_address domain=$dkim_cur_signer), signature is good.
accept
add_header = X-DKIM-Signature: none
acl_check_mail:
accept
hosts = 127.0.0.1
condition = ${if eq{$received_port}{10026}}
deny
message = no HELO given before MAIL command
condition = ${if def:sender_helo_name {no}{yes}}
accept
authenticated = *
senders = ^$authenticated_id@sebbe\\.eu\$
hosts = +relay_from_hosts
deny
message = You can't spoof the domains this server is authorative for
sender_domains = ^(.*\\.sebbe|sebbe)\\.eu\$
deny
message = Local users must authenticate
hosts = +relay_from_hosts
deny
message = That would create a mail loop
sender_domains = localhost : ^\\[127.*
deny
message = Blacklisted TLD
sender_domains =
^.*\\.(bid|top|xyz|pro|date|faith|stream|club|host|loan|download)\$
deny
message = Sender verification failed
!verify = sender
deny
message = [SPF] $sender_host_address is not allowed to send mail from \
${if def:sender_address_domain
{$sender_address_domain}{$sender_helo_name}}. \
Please see \
http://www.openspf.org/Why?scope=${if def:sender_address_domain \
{mfrom}{helo}};identity=${if def:sender_address_domain \
{$sender_address}{$sender_helo_name}};ip=$sender_host_address
log_message = SPF check failed. (s=${if def:sender_address_domain
{mfrom}{helo}}; d=$sender_address_domain; h=$sender_helo_name;
i=$sender_host_address; r=$runrc)
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
${if def:sender_address_domain \
{--scope mfrom --identity ${quote:$sender_address}}\
{--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{${if eq
{$runrc}{2}{yes}{no}}}}}}
defer
message = Temporary DNS error while checking SPF record. Try again later.
condition = ${if eq {$runrc}{5}{yes}{no}}
warn
condition = ${if <={$runrc}{6}{yes}{no}}
add_header = X-SPF-Signature: ${if eq {$runrc}{0}{pass}\
{${if eq {$runrc}{3}{neutral}\
{${if eq {$runrc}{4}{permerror}\
{${if eq {$runrc}{6}{none}{error}}}}}}}\
} client-ip=$sender_host_address; \
${if def:sender_address_domain \
{envelope-from=${sender_address}; }{}}\
helo=$sender_helo_name
warn
log_message = Unexpected error in SPF check.
condition = ${if >{$runrc}{6}{yes}{no}}
accept
acl_check_rcpt:
accept
hosts = 127.0.0.1
condition = ${if eq{$received_port}{10026}}
control = dkim_disable_verify
deny
local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
message = restricted characters in address
deny
message = That would create a mail loop
domains = localhost : ^\\[127.*
accept
authenticated = *
senders = ^$authenticated_id@sebbe\\.eu\$
hosts = +relay_from_hosts
control = submission/sender_retain
control = dkim_disable_verify
set acl_m0 = authorizedrelay
require
message = relay not permitted
domains = +local_domains
deny
message = Email to SMS facility is restricted to local users
local_parts = ^\\d\\d+\$
require
verify = recipient
accept
acl_check_data:
accept
hosts = 127.0.0.1
condition = ${if eq{$received_port}{10026}}
deny
message = Message headers fail syntax check
!verify = header_syntax
deny
message = No verifiable sender address in message headers
!verify = header_sender
deny
message = Missing MIME From header
condition = ${if def:h_from:{no}{yes}}
deny
message = You can't spoof the MIME From this server is authorative for
condition = ${if match
{$h_from:}{^(?i).*<.*@(.*\\.sebbe|sebbe)\\.eu>\$}{yes}{no}}
condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
deny
message = Authorized relayed messages MUST have a local MIME From
condition = ${if match
{$h_from:}{^.*<$authenticated_id@sebbe\\.eu>\$}{no}{yes}}
condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}
deny
message = No spam here
condition = ${if def:h_subject:{yes}{no}}
condition = ${if match
{$h_subject:}{^(?i).*(viagra|levitra|cialis|kamagra|penisole|vpxl)}{yes}{no}}
accept
begin routers
pmx_smarthost:
debug_print = "R: pmx_smarthost for $local_part@$domain"
cannot_route_message = Unknown user
condition = ${if !eq{$received_port}{10026}}
driver = manualroute
route_list = * 127.0.0.1
transport = remote_pmx_smtp
self = send
no_verify
no_more
dnslookup:
debug_print = "R: dnslookup for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
same_domain_copy_routing = yes
# ignore private rfc1918 and APIPA addresses
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
255.255.255.255
no_more
sms_transmit:
driver = accept
domains = +local_domains
local_parts = ^\\d\\d+\$
transport = sms_transport
system_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
domains = +local_domains
check_local_user
transport = mail_spool
cannot_route_message = Unknown user
begin transports
remote_pmx_smtp:
debug_print = "T: remote_pmx_smtp for $local_part@$domain"
driver = smtp
port = 10025
allow_localhost
sms_transport:
debug_print = "T: Sending SMS to $local_part"
driver = pipe
command = /usr/sbin/smsbot $local_part
return_output = true
user = asterisk
mail_spool:
debug_print = "T: appendfile for $local_part@$domain"
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
mode_fail_narrower = false
current_directory = /
remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
helo_data = ${lookup{$sending_ip_address}lsearch{/etc/exim4/helo}{$value}}
dkim_domain = sebbe.eu
dkim_selector = root
dkim_private_key = /etc/exim4/dkim.key
dkim_canon = relaxed
sentfolder:
debug_print = "T: Sentfolder for $local_part@$domain"
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
mode_fail_narrower = false
current_directory = /
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
[begin authenticators section redacted]
2017-11-19 23:14 GMT+01:00 Heiko Schlittermann via Exim-users
<exim-users@???>:
> Hi,
>
> Sebastian Nielsen via Exim-users <exim-users@???> (Do 16 Nov 2017 19:40:41 CET):
>> How I accomplish sending mail through a "Proxy based" content filter?
> …
>>
>
> AMaViS was used as a proxy. Try finding some examples about Exim/Amavis
> integration.
>
> Points to check for are
>
> - How do I send to myself (localhost) (`self` router option,
> `allow_localhost` transport option)
>
> - How can I do recipient verification *before*
> relaying the message to the proxy (`verify_only` router option)
>
> - How can I handle the re-injected messages differently
> ($received_port expansion)
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> --
> SCHLITTERMANN.de ---------------------------- internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --------------- key ID: F69376CE -
> ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
