Re: [exim] Sending mail through "proxy based" content filter

Top Page
Delete this message
Reply to this message
Author: Sebastian Nielsen
Date:  
To: Heiko Schlittermann, exim-users
Subject: Re: [exim] Sending mail through "proxy based" content filter
I wonder, wont no_verify on the smarthost router, perform the same
thing - eg doing verification as it "would deliver" without smarthost,
but still deliver via smarthost?
The only verification I do is to ensure the sender and receiver domain
really exists, and in case of local delivery, that the local user do
exist either as an alias or as normal user. I don't need any more.
The problem is that that if the local user does not exist, or if the
remote domain is non-existent, it should fail Before going through the
Proxy.

Verify_only would require me to repeat all routers Before the smarthost/Proxy?

Here is my current config, with the Proxy added, except the "begin
authenticators" section (that contain some sensitive info so I left it
out).
If you wonder about the sentfolder filter, its simply an unseen
delivery to Place a sent mail into the user's "Sent" folder.

exim_path = /usr/sbin/exim4
domainlist local_domains =
sebbe.eu:[185.86.107.140]:[46.227.69.210]:[2001:470:dff1:1:10::1]:[2001:470:dff1:1:10::2]:dns1.sebbe.eu:dns2.sebbe.eu
hostlist relay_from_hosts = 192.168.0.0/16
auth_advertise_hosts = 192.168.0.0/16

system_filter = /etc/exim4/sentfolder.filter
system_filter_file_transport = sentfolder

qualify_domain = sebbe.eu
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_dkim = acl_check_dkim
allow_domain_literals
host_lookup = *
rfc1413_query_timeout = 0s
prdr_enable = true
local_from_check = false
local_sender_retain = true
untrusted_set_sender = *
ignore_bounce_errors_after = 2d
spool_directory = /var/spool/exim4
smtp_active_hostname =
${lookup{$received_ip_address\_$received_port}lsearch{/etc/exim4/servers}{$value}}
smtp_accept_max_nonmail_hosts = :
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
add_environment = <; PATH=/bin:/usr/bin
tls_require_ciphers = SECURE128:-VERS-SSL3.0
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
tls_ocsp_file = /etc/exim4/exim.ocsp
tls_on_connect_ports = 465 : 466
log_selector = +smtp_protocol_error +smtp_syntax_error
+tls_certificate_verified +tls_peerdn

acl_check_dkim:
      accept
           dkim_status = fail
           add_header = X-DKIM-Signature: fail
(address=$sender_address domain=$dkim_cur_signer), signature is bad.
      accept
           dkim_status = invalid
           add_header = X-DKIM-Signature: invalid
($dkim_verify_status); $dkim_verify_reason
      accept
           dkim_status = pass
           add_header = X-DKIM-Signature: pass
(address=$sender_address domain=$dkim_cur_signer), signature is good.
      accept
           add_header = X-DKIM-Signature: none
acl_check_mail:
  accept
    hosts = 127.0.0.1
    condition = ${if eq{$received_port}{10026}}
  deny
    message = no HELO given before MAIL command
    condition = ${if def:sender_helo_name {no}{yes}}
  accept
    authenticated = *
    senders = ^$authenticated_id@sebbe\\.eu\$
    hosts = +relay_from_hosts
  deny
    message = You can't spoof the domains this server is authorative for
    sender_domains = ^(.*\\.sebbe|sebbe)\\.eu\$
  deny
    message = Local users must authenticate
    hosts = +relay_from_hosts
  deny
    message = That would create a mail loop
    sender_domains = localhost : ^\\[127.*
  deny
    message = Blacklisted TLD
    sender_domains =
^.*\\.(bid|top|xyz|pro|date|faith|stream|club|host|loan|download)\$
  deny
    message = Sender verification failed
    !verify = sender
  deny
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain
{$sender_address_domain}{$sender_helo_name}}.  \
              Please see \
              http://www.openspf.org/Why?scope=${if def:sender_address_domain \
              {mfrom}{helo}};identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed. (s=${if def:sender_address_domain
{mfrom}{helo}}; d=$sender_address_domain; h=$sender_helo_name;
i=$sender_host_address; r=$runrc)
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                   ${quote:$sender_host_address} --identity \
                   ${if def:sender_address_domain \
                       {--scope mfrom  --identity ${quote:$sender_address}}\
                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                   {no}{${if eq {$runrc}{1}{yes}{${if eq
{$runrc}{2}{yes}{no}}}}}}
  defer
    message = Temporary DNS error while checking SPF record.  Try again later.
    condition = ${if eq {$runrc}{5}{yes}{no}}
  warn
    condition = ${if <={$runrc}{6}{yes}{no}}
    add_header = X-SPF-Signature: ${if eq {$runrc}{0}{pass}\
                                 {${if eq {$runrc}{3}{neutral}\
                                  {${if eq {$runrc}{4}{permerror}\
                                   {${if eq {$runrc}{6}{none}{error}}}}}}}\
                                } client-ip=$sender_host_address; \
                                ${if def:sender_address_domain \
                                   {envelope-from=${sender_address}; }{}}\
                                helo=$sender_helo_name
  warn
    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
  accept



acl_check_rcpt:
 accept
    hosts = 127.0.0.1
    condition = ${if eq{$received_port}{10026}}
    control = dkim_disable_verify
  deny
    local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
    message = restricted characters in address
  deny
    message = That would create a mail loop
    domains = localhost : ^\\[127.*
  accept
    authenticated = *
    senders = ^$authenticated_id@sebbe\\.eu\$
    hosts = +relay_from_hosts
    control = submission/sender_retain
    control = dkim_disable_verify
    set acl_m0 = authorizedrelay
  require
    message = relay not permitted
    domains = +local_domains
  deny
    message = Email to SMS facility is restricted to local users
    local_parts = ^\\d\\d+\$
  require
    verify = recipient
  accept


acl_check_data:
  accept
    hosts = 127.0.0.1
    condition = ${if eq{$received_port}{10026}}
  deny
    message = Message headers fail syntax check
    !verify = header_syntax
  deny
    message = No verifiable sender address in message headers
    !verify = header_sender
  deny
    message = Missing MIME From header
    condition = ${if def:h_from:{no}{yes}}
  deny
    message = You can't spoof the MIME From this server is authorative for
    condition = ${if match
{$h_from:}{^(?i).*<.*@(.*\\.sebbe|sebbe)\\.eu>\$}{yes}{no}}
    condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
  deny
    message = Authorized relayed messages MUST have a local MIME From
    condition = ${if match
{$h_from:}{^.*<$authenticated_id@sebbe\\.eu>\$}{no}{yes}}
    condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}
  deny
    message = No spam here
    condition = ${if def:h_subject:{yes}{no}}
    condition = ${if match
{$h_subject:}{^(?i).*(viagra|levitra|cialis|kamagra|penisole|vpxl)}{yes}{no}}
  accept


begin routers

pmx_smarthost:
debug_print = "R: pmx_smarthost for $local_part@$domain"
cannot_route_message = Unknown user
condition = ${if !eq{$received_port}{10026}}
driver = manualroute
route_list = * 127.0.0.1
transport = remote_pmx_smtp
self = send
no_verify
no_more

dnslookup:
  debug_print = "R: dnslookup for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255
  no_more


sms_transmit:
driver = accept
domains = +local_domains
local_parts = ^\\d\\d+\$
transport = sms_transport

system_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}

local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
domains = +local_domains
check_local_user
transport = mail_spool
cannot_route_message = Unknown user


begin transports

remote_pmx_smtp:
debug_print = "T: remote_pmx_smtp for $local_part@$domain"
driver = smtp
port = 10025
allow_localhost

sms_transport:
debug_print = "T: Sending SMS to $local_part"
driver = pipe
command = /usr/sbin/smsbot $local_part
return_output = true
user = asterisk

mail_spool:
debug_print = "T: appendfile for $local_part@$domain"
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
mode_fail_narrower = false
current_directory = /

remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
helo_data = ${lookup{$sending_ip_address}lsearch{/etc/exim4/helo}{$value}}
dkim_domain = sebbe.eu
dkim_selector = root
dkim_private_key = /etc/exim4/dkim.key
dkim_canon = relaxed

sentfolder:
debug_print = "T: Sentfolder for $local_part@$domain"
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
mode_fail_narrower = false
current_directory = /

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


begin rewrite

[begin authenticators section redacted]

2017-11-19 23:14 GMT+01:00 Heiko Schlittermann via Exim-users
<exim-users@???>:
> Hi,
>
> Sebastian Nielsen via Exim-users <exim-users@???> (Do 16 Nov 2017 19:40:41 CET):
>> How I accomplish sending mail through a "Proxy based" content filter?
> …
>>
>
> AMaViS was used as a proxy. Try finding some examples about Exim/Amavis
> integration.
>
> Points to check for are
>
>     - How do I send to myself (localhost) (`self` router option,
>       `allow_localhost` transport option)

>
>     - How can I do recipient verification *before*
>       relaying the message to the proxy (`verify_only` router option)

>
>     - How can I handle the re-injected messages differently
>       ($received_port expansion)

>
>     Best regards from Dresden/Germany
>     Viele Grüße aus Dresden
>     Heiko Schlittermann
> --
>  SCHLITTERMANN.de ---------------------------- internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --------------- key ID: F69376CE -
>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>