Edward Kay wrote:
I want to stop any hosts that I don't explicitly allow from accessing my
SMTP server.
[...]
1. I considered adding deny hosts = !+relay_hosts
This is good.
at the top of the
check_recipient ACL (after accept hosts = : and require verify = sender).
From what I can see however, this would prevent our authenticated users on
unknown hosts from using the SMTP server because it would come before:
[pop-before-SMTP ACL rules]
Fair enough. Can't you put the "deny hosts = !+relay_hosts" after these
checks?
A more radical solution which may be overkill for your situation but is
good in the general case is to use something like Tony Finch's fantastic
"personalities" idea:
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-eximconf/paper.html#3.%20Multiple%20personalities
Here, you have different ACLs for different mailserver "personalities".
Personalities can be things like:
- inbound SMTP mailhub (MX)
- submission from end users (MUAs)
- smarthost services for other servers
- delivery personality (for actually delivering to end mailboxes)
in your case you would probably want the first two, the first for
deliveries from your scanning servers and the second for end users. You
differentiate between the personalities by running Exim on multiple IP
addresses, ports or both.
The extra bonus here is that it makes it easier and less messy to do
specific things (like turn on submission mode) for specific
personalities only. I've used an adapted version to great effect.
However it will mean pretty much rewriting your config from scratch.
Tony's examples are a great start.
Tim
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
