326 lines
6.4 KiB
HTML
326 lines
6.4 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Exempting Forwarded Mail</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Spam Filtering for Mail Exchangers"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Exim Implementation"
|
|
HREF="exim.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Accept Bounces Only for Real Users"
|
|
HREF="exim-bounces.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Final ACLs"
|
|
HREF="exim-final.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Spam Filtering for Mail Exchangers: </TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="exim-bounces.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Appendix A. Exim Implementation</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="exim-final.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="exim-forward"
|
|
></A
|
|
>A.13. Exempting Forwarded Mail</H1
|
|
><P
|
|
> After adding all these checks in the SMTP transaction, we may
|
|
find ourselves indirectly creating collateral spam as a result
|
|
of rejecting mails forwarded from trusted sources, such as
|
|
mailing lists and mail accounts on other sites (see the
|
|
discussion on <A
|
|
HREF="forwardedmail.html"
|
|
>Forwarded Mail</A
|
|
> for details). We
|
|
now need to whitelist these hosts in order to exempt them from
|
|
SMTP rejections -- at least those rejections that are caused by
|
|
our spam and/or virus filtering.
|
|
</P
|
|
><P
|
|
> In this example, we will consult two files in response to each
|
|
<B
|
|
CLASS="command"
|
|
>RCPT TO:</B
|
|
> command:
|
|
</P
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> A global whitelist in
|
|
<TT
|
|
CLASS="option"
|
|
>/etc/mail/whitelist-hosts</TT
|
|
>, containing
|
|
backup MX hosts and other whitelisted senders
|
|
<A
|
|
HREF="greylisting.html#FTN.noretrysenders"
|
|
><SPAN
|
|
CLASS="footnote"
|
|
>[1]</SPAN
|
|
></A
|
|
>, and
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> A user-specific list in
|
|
<TT
|
|
CLASS="option"
|
|
>/home/<TT
|
|
CLASS="parameter"
|
|
><I
|
|
>user</I
|
|
></TT
|
|
>/.forwarders</TT
|
|
>,
|
|
specifying hosts from which that particuar user will receive
|
|
forwarded mail (e.g. mailing list servers, outgoing mail
|
|
servers for accounts elsewhere...)
|
|
</P
|
|
></LI
|
|
></UL
|
|
><P
|
|
> If your mail users do not have local user accounts and home
|
|
directories, you may want to modify the file paths and/or lookup
|
|
mechanisms to something more suitable for your system
|
|
(e.g. database lookups or LDAP queries).
|
|
</P
|
|
><P
|
|
> If the sender host is found in one of these whitelists, we save
|
|
the word <SPAN
|
|
CLASS="QUOTE"
|
|
>"accept"</SPAN
|
|
> in <TT
|
|
CLASS="varname"
|
|
>$acl_m0</TT
|
|
>, and
|
|
clear the contents of <TT
|
|
CLASS="varname"
|
|
>$acl_m1</TT
|
|
>, as described in
|
|
the previous section on <A
|
|
HREF="exim-smtpdelays.html#exim-smtpdelays-selective"
|
|
>Selective Delays</A
|
|
>. This will indicate that
|
|
we should not reject the mail in subsequent statements.
|
|
</P
|
|
><P
|
|
> In the <A
|
|
HREF="exim-final.html#acl_rcpt_to_final"
|
|
>acl_rcpt_to</A
|
|
>, we insert the
|
|
following statement after validating the recipient address, but
|
|
before any <TT
|
|
CLASS="option"
|
|
>accept</TT
|
|
> statements pertaining to
|
|
unauthenticated deliveries from remote hosts to local users
|
|
(i.e. before any greylist checks, envelope signature checks,
|
|
etc):
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> # Accept the mail if the sending host is matched in the global
|
|
# whitelist file. Temporarily set $acl_m9 to point to this file.
|
|
# If the host is found, set a flag in $acl_m0 and clear $acl_m1 to
|
|
# indicate that we should not reject this mail later.
|
|
#
|
|
accept
|
|
set acl_m9 = /etc/mail/whitelist-hosts
|
|
hosts = ${if exists {$acl_m9}{$acl_m9}}
|
|
set acl_m0 = accept
|
|
set acl_m1 =
|
|
|
|
|
|
# Accept the mail if the sending host is matched in the ".forwarders"
|
|
# file in the recipient's home directory. Temporarily set $acl_m9 to
|
|
# point to this file. If the host is found, set a flag in $acl_m0 and
|
|
# clear $acl_m1 to indicate that we should not reject this mail later.
|
|
#
|
|
accept
|
|
domains = +local_domains
|
|
set acl_m9 = /home/${extract{1}{=}{${lc:$local_part}}}/.forwarders
|
|
hosts = ${if exists {$acl_m9}{$acl_m9}}
|
|
set acl_m0 = accept
|
|
set acl_m1 =
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> In various statements in the <A
|
|
HREF="exim-final.html#acl_data_final"
|
|
>acl_data</A
|
|
>
|
|
ACL, we check the contents of <TT
|
|
CLASS="varname"
|
|
>$acl_m0</TT
|
|
> to avoid
|
|
rejecting the mail if this is set as per above. For instance,
|
|
to avoid rejecting mail from whitelisted hosts due to a missing
|
|
RFC2822 header:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> deny
|
|
message = Your message does not conform to RFC2822 standard
|
|
log_message = missing header lines
|
|
!hosts = +relay_from_hosts
|
|
!senders = : postmaster@*
|
|
condition = ${if !eq {$acl_m0}{accept}{true}}
|
|
condition = ${if or {{!def:h_Message-ID:}\
|
|
{!def:h_Date:}\
|
|
{!def:h_Subject:}} {true}{false}}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> The appropriate checks are embedded in the <A
|
|
HREF="exim-final.html"
|
|
>Final ACLs</A
|
|
>, next.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="exim-bounces.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="exim-final.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Accept Bounces Only for Real Users</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="exim.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Final ACLs</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |