Yeah, I thought of that, but I'm having trouble figuring out where to put it. It needs to go before the first use of check_lcoal_user, but after 400_exim4-config_system_aliases, so that system users (such as root) aliased to normal users continue to work. However, 300_exim4-config_real_local uses check_local_user.
It seems to me that 300_exim4-config_real_local should be moved to 550 (or perhaps move the contents directly into 600_exim4-config_userforward, at the start of the file). The real-* addresses only exist to serve the syntax-errors-to setting in the userforward router, so that seems like the right thing to do to me. It means that real-* won't work for addresses aliased in the system aliases file, but IMO that's a _good_ thing. For example, I don't want [EMAIL PROTECTED] getting delivered to /var/lib/clamav/Maildir/, under any circumstances.
Hi Marc. So, I've tried out what I described above, and it seems to be working for me. If you're interested in putting it in the debian package, here's what I've done:
1) moved 300_exim4-config_real_local to 590_ -- I'd recommend putting it right inside the 600 file, if you do this in the package, but I left it as a seperate file for ease of diffing if the 300_ file changes in a future version
One thing I'm still pondering; should the real-* router be restricted to local senders only? I'm not sure I want external senders being able to disable the use of my filters.
2) Added the following router:
[EMAIL PROTECTED]:/etc/exim4/conf.d/router# more 450_local_reject_system_uids # MSS: This router prevents local delivery to UIDs outside the normal # user range (1000-29999 inclusive). Ideally, if used in the debian # package, this router would get those values from /etc/adduser.conf, # but for my local config, manually testing the magic numbers is # acceptable. # # All local_part_prefixes and _suffixes used at the site should be # allowed optionally in this router, to ensure that they can't be # userd to skirt this router's check
reject_system_uids:
driver = redirect
domains = +local_domains
local_part_prefix = real-
local_part_prefix_optional = true
check_local_user
condition = ${if or{{<{$local_user_uid}{1000}}{>{$local_user_uid}{29999}}}}
allow_fail
data = :fail: System account $local_part does not accept email
no_more
Please let me know if you can see any obvious problems with this scheme.
Thanks, - Marc
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
