Re: [exim] Bounce router based on both sender and recipient

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Brudenell
Date:  
À: Exim Users
Sujet: Re: [exim] Bounce router based on both sender and recipient
rouHi, Jarle -

Because Exim is very flexible there are usually many ways of achieving the
same effect. I'll leave it to others to comment on whether your ideaof
using a router for this is "bad", but to me it seems overly complex and
"less good" :-) As a general rule of thumb I think of

- ACLs as determining *whether* something (a connection, a sender
address, a recipient address, some particular content, etc) should be
accepted, rejected, or deferred to be tried again later;
- Routers as usually determining *how* to handle the message (implement
forwarding, expand aliases, deliver to a local mailbox, transmit over SMTP,
etc)
- Transports to do the nitty gritty of the actual delivery,
transmission, etc

(Others may dispute some aspects of that mental model, but as a general
rule of thumb it works for me.)

When I think through your router I confess it makes me brain ache slightly
with its effective double-negatives about accepting and rejecting:

1. The sender address and recipient addresses have been accepted by your
ACLS, suggesting you're happy with the message, and
2. This router accepts and handles the recipient of the message if the
sender address is in ses-senders, the recipient domain is non-local and the
recipient address is listed in ses-suppress, but
3. When the router decides to handle the recipient's copy its only
possible action is to reject it. (Brain aches then explodes.)

I confess that the way my mind works I see it as simpler and more logical
to:

1. Use an ACL to impose a *deny* policy when the sender and current
recipient address meet your criteria. (This rejects that one recipient
address, leaving any others to continue to be tested and be accepted as
appropriate.) This leaves you to…
2. Use a router that then focuses on how to actually route the message
to each of the (remaining, accepted) recipients.

So I'd write it more along the lines of this in my *acl_smtp_rcpt* ACL (at
which point the MAIL FROM sender address is already known and is available
for testing, and each recipient address is being presented/considered in
turn):

deny message    = Address is known to bounce. We cannot attempt to send to
this address. (Local suppression list)
     senders    = lsearch;/etc/exim4/ses-senders
     ! domains  = +local_domains
     recipients = lsearch;/etc/exim4/ses-suppress


This is much simpler to code, and therefore less confusing/error-prone now
and when revisiting it in the future. It can also do its work very early on
in the ACLs phase without needing to fire up routers. Indeed, depending on
whether you use *verify* in your ACLs it could make the difference between
rejecting the recipient at SMTP time and accepting the message into your
queues only to later reject it, possibly causing backscatter.

Some notes/observations:

- When all of its conditions are met this ACL statement will deny the
recipient currently being considered, returning a 5xx SMTP response. That's
tell the sending server this recipient has been rejected but it can carry
on supplying other recipient addresses (if any).
- Using the *recipients* condition to test the full recipient address is
easier than the somewhat convoluted *condition* condition.
- As you're searching for the *full* recipient address in the
ses-suppress file I'm not convinced as to the benefit of first using
*domains* to check that the domain of the recipient address isn't in
*local_domains*. (I'm assuming, possibly incorrectly, that you don't
list local_domain addresses in your ses-suppress file. If you do then yes,
you'd want the *domains* condition for my version to match yours.)

But if you've got your version working and are happy with it then that's
the main thing.

Cheers,
Mike B-)

On 23 January 2018 at 17:49, Jarle Hammen Knudsen via Exim-users <
exim-users@???> wrote:

> Hi, Mike!
>
> In my original mail I mistakenly referred to the same file twice .
> Correction:
>
> What I am trying to do is define a router which bounces the message if
> both these conditions are true:
>
>     1. sender is listed in /etc/exim4/ses-senders
>     2. recipient is listed in /etc/exim4/ses-suppress

>
> I do want per recipient filtering on this. Only recipients listed in
> ses-suppress should be bounced. Messages with multiple recipients should be
> delivered to the other recipients.
>
> The reasoning behind looking at a router to do this was because it was a
> router I wanted to restrict.
>
> Anyway, this seems to to the trick:
>
>    send_via_ses_block:
>       driver = redirect
>       debug_print = "R: send_via_ses_block"
>       domains = ! +local_domains
>       senders = lsearch;/etc/exim4/ses-senders
>       condition = ${lookup {$local_part@$domain} lsearch
>    {/etc/exim4/ses-suppress} {1} {0}}
>       allow_fail
>       data = :fail: Address is known to bounce. We cannot attemt to
>    send to this address. (Local suppression list)

>
> Is it a bad idea to use a router for this? The server is very low volume.
>
> All the best,
> Jarle



--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811 <01904%20323811>

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm