OT: Exim - Using ACLs to verify RCPT TO

Fri Jan 2 21:10:00 GMT 2004

I'm still using exim 3, but I've been able to get exim to use ldap to look
verify local users on an exchange server.  Here's what I do:

*  in exim.conf, make sure receiver_verify = true is set
*  In all of the routers definitions which deliver mail locally, set up a
condition something like this:

     condition = ${lookup ldap
{ldap://YOUR_LDAPSERVER/ou=YOUR_OU,o=YOUR_ORG?rdn?sub?(rfc822Mailbox=$local_
part@$domain)}{1}{0}}

It appears that Exchange email addresses can be in either rfc822Mailbox or
otherMailbox, so I actually duplicated all of my local router definitions,
and changed the condition to this:

     condition = ${lookup ldap
{ldap://YOUR_LDAPSERVER/ou=YOUR_OU,o=YOUR_ORG?rdn?sub?(otherMailbox=smtp%24$
local_part@$domain)}{1}{0}}

Now that I think about it, I suppose I could have ORed the two conditions
together.  The thinking is if there is no router to be used for a recipient,
then the sender will get an smtp error.

Anyways, I am by no means an ldap expert, and I reserve the right to be
doing something really dumb here.  I only got this setup to work by trial
and error, not because I know what I'm doing.  :-)  Hope it helps you out.

Jason

> -----Original Message-----
> From: ISP List [mailto:isp-list at TULSACONNECT.COM]
> Sent: Tuesday, December 30, 2003 11:54 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [MAILSCANNER] Exim - Using ACLs to verify RCPT TO
>
>
> We're running MailScanner on several load-balanced inbound SMTP / MX
> handling machines running exim 4.x as the MTA.  These
> machines do a MySQL
> lookup to verify the "allowed relay" domains for each
> message, and then we
> use a SMTP "smart route" to send all scanned mail to the
> final destination
> mail server (which is also determined by a SQL lookup).
>
> The problem with this approach is that we cannot generate "550 user
> unknown" errors during the SMTP negotiation phase because the
> MailScanner
> boxes don't have any local accounts, so they don't know if the address
> exists or not.  This results in the "accept and bounce" behavior for
> non-existant mailboxes, which then results in a *large*
> number of bounce
> messages being sent to hotmail, yahoo, msn and others due to spammers
> forging the From: address (which then results in them
> tarpitting our SMTP
> connections).
>
> So, what I would like exim to do is to be able to do a LDAP
> or SQL lookup
> during the SMTP negotiation phase (following the RCPT TO) to
> determine if
> the recipient address is valid or not.  Based on my research,
> using exim
> 4.x's ACL facility seems to be the best approach, but I'm a
> little unclear
> on the proper syntax as the manual does not give any examples.
>
> Any pointers would be much appreciated.
>
> ---------------------------------------
> Mike Bacher / mike at sparklogic.com
> SparkLogic Development / ISP Consulting
> Use OptiGold ISP? Check out OptiSkin!
> http://www.sparklogic.com/optiskin/
> ---------------------------------------
>