Re: [exim] Verify outgoing email while using a smarthost

Sat, 06 Aug 2016 19:38:53 -0700 

On 2016-08-03, Jason <[email protected]> wrote:
> Hi,
>   Is it possible for Exim to verify outgoing mail when using a smarthost?
> Specifically, I'm looking to have Exim verify (using dnslookup) that the
> domain exists for the recipient.  If the domain returns NXDOMAIN (or some
> other DNS error), defer it, if DNS exists, continue with the routing.  I
> tried the following:
>
> # Verify the recipient domain exists in DNS before sending to the relay.
> verify_address:
>   debug_print = "R: verify_address for $domain"
>   driver = dnslookup
>   domains = ! +local_domains
>   verify_only
>
> smarthost:
>   debug_print = "R: smarthost for $local_part@$domain"
>   driver = manualroute
>   domains = ! +local_domains
>   transport = remote_smtp_smarthost
>   route_list = * DCsmarthost byname
>   host_find_failed = defer
>   same_domain_copy_routing = yes
>   no_verify
>   no_more
>
> And it seems to work during testing:

if you want it to actually block acceptance of emails you'll need
"verify=recipient" in the SMTP_RCPT ACL

  defer:
    !verify=recipient
    

of if you want to treat NXDOMAIN as a permanent error

   require
     verify=recipient
     
> However, when sending a test message to an NXDOMAIN, exim happily forwards
> it to the smarthost:
>
> 2016-08-03 08:07:28 1bUvtQ-0007bm-Vh <= root@somehost U=root P=local S=486 
> T="test"

for "P=local" recipient verification is not documented :(  are you
trying to control local processes (and shell accounts etc.) or SMTP 
users?

> 2016-08-03 08:07:29 1bUvtQ-0007bm-Vh =>
> [email protected] R=smarthost T=remote_smtp_smarthost
> S=505 H=ses-smtp-prod-335357831.us-east-1.elb.amazonaws.com[50.19.94.229]
> X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
> DN="C=US,ST=Washington,L=Seattle,O=Amazon.com\, Inc.,CN=
> email-smtp.us-east-1.amazonaws.com"
> 2016-08-03 08:07:29 1bUvtQ-0007bm-Vh Completed

> Is it possible for Exim to do outbound verification while using a
> smarthost?

Verification is best done at inbound SMTP time. but yes that should be
possible

> If so, what am I missing?

Make a normal NSLOOKUP router, but in the associated SMTP transport
override the route data to send via the smarthost...
you'll probably want all of RFC1918 in ignore_target_hosts.

have the next router fail with a forced permanent error or a forced defer.
(use a rewrite router)

-- 
This email has not been checked by half-arsed antivirus software 

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to