Pkg exim4 users - Sep 2005 - ACL to verify recipients based on alias file for multiple domains

Hi list,

I maintain an email gateway running exim4 on Debian Sarge. It is
configured with an alias file for each domain it accepts mail for.

The alias files are used to forward incoming emails to the correct
mailserver as the exim4 server does not handle any accounts, it only
routes and does an intial virus and spam check.

Currently when exim4 receives an email it forwards it to amavisd-new
which checks it for virusses and spam. After this is completed the
recipient is looked up in the alias files.

95% of all the spam and virusses we receive are addressed to users which
don''t exist (in the alias files). So I would like to create an ACL
which
checks if the recipient addressed in an incoming mail actually exists in
the alias file of the domain addressed before it gets forwarded to
amavisd-new.

I''ve read the documentation on ACLs at exim.org, but am not quite sure
how I would accomplish this.

I presume that the code needs to be placed in the file
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt, as that seems to be
the ACL for incoming RCPT headers, but I have no idea how to verify the
recipients based on the alias files. I tried playing around with the
lookup code used in the router section[1], but that didn''t work.

Could someone help out with this configuration?

PS. Please CC me as I''m not on this list

Regards,

Bas Couwenberg

References:

[1]
At present the alias files per domain are handled by the following
router section:

bas@asgard:~$ cat /etc/exim4/conf.d/router/350_exim4-config_vdom_aliases
vdom_aliases:
        driver = redirect
        allow_defer
        allow_fail
        domains = dsearch;/etc/mail/virtual
        data
${expand:${lookup{$local_part}lsearch*@{/etc/mail/virtual/$domain}}}
        retry_use_local_part
        pipe_transport = address_pipe
        file_transport = address_file
        no_more

Hello Bas,

Bas Couwenberg, 06.09.2005 (d.m.y):
> I maintain an email gateway running exim4 on Debian Sarge. It is
> configured with an alias file for each domain it accepts mail for.
> 
> The alias files are used to forward incoming emails to the correct
> mailserver as the exim4 server does not handle any accounts, it only
> routes and does an intial virus and spam check.
> 
> Currently when exim4 receives an email it forwards it to amavisd-new
> which checks it for virusses and spam. After this is completed the
> recipient is looked up in the alias files.
Why don''t you do it the other way around? From my pomt of view there
is no need to scan an email for spam and/or viri without knowing  that
it is addressed to _valid_ users "living" on your systems.
> 95% of all the spam and virusses we receive are addressed to users which
> don''t exist (in the alias files).
That''s what I mean.
> So I would like to create an ACL which
> checks if the recipient addressed in an incoming mail actually exists in
> the alias file of the domain addressed before it gets forwarded to
> amavisd-new.
u 
> I''ve read the documentation on ACLs at exim.org, but am not quite
sure
> how I would accomplish this.
> 
> I presume that the code needs to be placed in the file
> /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt, as that seems to be
> the ACL for incoming RCPT headers, but I have no idea how to verify the
> recipients based on the alias files. I tried playing around with the
> lookup code used in the router section[1], but that didn''t work.
> 
> Could someone help out with this configuration?

Take a look at how exim does lookups in "normal" alias files:
(From the system_aliases router:)
  data = ${lookup{$local_part}lsearch{/etc/aliases}}

Placing a corresponding entry in your check_rcpt acl should do the
job.

hth,
Christian 

-- 
Untergangspropheten, die vom Pessimismus leben - und gar nicht
schlecht - empfinden jede Art von Zuversicht zwangsl?ufig als
Existenzbedrohung.
		-- Bob Hope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20050907/99fc347e/attachment.pgp

I''ve tried the suggested solutions.

None really did the trick. Unfortunately a few new projects were put on
my table so the mailserver has gotten a lower priority.

I''ll play around with some configuration on my private systems when I
find the time.

Thanks for the help so far.

Regards,

Bas Couwenberg

Bas Couwenberg <bas@itd.net> wrote:
>
>I maintain an email gateway running exim4 on Debian Sarge. It is
>configured with an alias file for each domain it accepts mail for.
>The alias files are used to forward incoming emails to the correct
>mailserver as the exim4 server does not handle any accounts, it only
>routes and does an intial virus and spam check.
>
>I would like to create an ACL which checks if the recipient addressed
>in an incoming mail actually exists in the alias file of the domain
>addressed before it gets forwarded to amavisd-new.
All you need is:
	require verify = recipient

Your routers define which addresses are valid.

Tony.
-- 
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
LYME REGIS TO LANDS END INCLUDING THE ISLES OF SCILLY: SOUTHWEST 4 OR 5
INCREASING 6 OR 7, PERHAPS GALE 8 FOR A TIME, THEN DECREASING WEST OR
SOUTHWEST 5 OR 6. FAIR THEN RAIN, SHOWERS LATER. GOOD, BECOMING MODERATE,
PERHAPS POOR FOR A TIME. MODERATE BECOMING ROUGH OR VERY ROUGH.

On Mon, Sep 26, 2005 at 02:43:08PM +0100, Tony Finch
wrote:
> Bas Couwenberg <bas@itd.net> wrote:
> >I maintain an email gateway running exim4 on Debian Sarge. It is
> >configured with an alias file for each domain it accepts mail for.
> >The alias files are used to forward incoming emails to the correct
> >mailserver as the exim4 server does not handle any accounts, it only
> >routes and does an intial virus and spam check.
> >
> >I would like to create an ACL which checks if the recipient addressed
> >in an incoming mail actually exists in the alias file of the domain
> >addressed before it gets forwarded to amavisd-new.
> 
> All you need is:
> 	require verify = recipient
This is the default in Debian''s exim4:
  # Accept if the address is in a local domain, but only if the recipient can
  # be verified. Otherwise deny. The "endpass" line is the border
between
  # passing on to the next ACL statement (if tests above it fail) or denying
  # access (if tests below it fail).
  #
  accept
    domains = +local_domains
    endpass
    message = unknown user
    verify = recipient

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835