NDR strategy

[Jan-Peter Koopmann]

Hi Martin,

> JP
> 
> have you got this script and the exim settings? I'd love to 
> setup this on our exim system.

sure. On the DC we use the following vbs script:

const FILENAME= "whitelist-adresses.txt"                       'File
name for exporting data from AD
const LDAPQUERY=
"LDAP://yourserver/DC=intern,DC=youractivedirectory,DC=de" 'LDAP query
to Active Directory, where 
Dim con, com, rs, fso, f
   Set fso = CreateObject("Scripting.FileSystemObject")
   Set f = fso.OpenTextFile(FILENAME, 2, True) ' ForReading = 1,
ForWriting = 2, ForAppending = 8
    Set con = CreateObject("ADODB.Connection")
    Set com = CreateObject("ADODB.Command")
    con.Provider = "ADsDSOObject"
    con.Open "Active Directory Provider"
    Set com.ActiveConnection = con
  com.CommandText = "select proxyAddresses from '" & LDAPQUERY & "'
where objectClass= 'user' or objectClass='group' order by sn " 
  com.Properties("Page Size") = 1000
    Set rs = com.Execute
    rs.MoveFirst
    While Not rs.EOF
      TProxyAddresses = rs.Fields("proxyAddresses")
      If Not IsNull(TProxyAddresses) Then
        TProxyAddressesCount = UBound(TProxyAddresses)
        For i = 0 To TProxyAddressesCount 
           If LCase(Left(TProxyAddresses(i),4))="smtp" Then
                        f.Write lcase(trim(Mid(TProxyAddresses(i),6))) &
VBLf
                   End If
                Next
      End iF
      rs.MoveNext
   Wend
     rs.Close
     f.Close
wscript.quit


This script is running every 30 minutes. You will have to adjust the
LDAPQUERY to suit your DC structure of course. If whitelist-adresses.txt
differs from the old version we scp it to our exim server in the DMZ.

On that server we check for a new version, convert the .txt into a .map
and then convert that to a cdb. The .txt file has the format

Validemail at yourdomain.com

We simply change that to

validemail at yourdomain.com 1

and then convert this to a cdb using this little script (which we use
for all kinds of cdbs...)

#! /usr/bin/perl

while(<>) {
        # skip comments
        next if /^\s*#/;

        # skip empty lines
        next if /^\s*$/;

        # chop off trailing newline
        chop;

        # delete leading whitespace
        s/^\s+//;

        # retrieve key and value from the input line
        ($key, $value) = split(/:\s*/, $_, 2);

        # emit cdbmake input line
        printf "+%d,%d:%s->%s\n", length($key), length($value), $key,
$value;
}
print "\n";

After this all you need to do is run cdbmake and store the cdb to the
location you want it.

In Exims configure (the incoming one obvisously) we define a domainlist

domainlist check_rcpt_domains = yourdomain1 : yourdomain2 

Only mails for domains in this list will be checked against the
whitelist. In the rcpt_acl you need to put

  accept  domains       = +check_rcpt_domains
          endpass
          message       = user unknown
          recipients    = cdb;/usr/local/etc/exim/whitelist-rcpt.cdb

And that's it. Moreover we manually maintain a blacklist for the e-mails
that exist in the company but should not be able to receive mails from
the internet.

I hope this gives you a kick start.

Regards,
  JP