Exim ACL for Postini

[michael.a]

Hi,

We are currently migrating to cPanel and consequently Exim. We use Postini for mail filtering services, and only want to allow incoming mail from Postini. We could have firewalled off port 25 when we turned on Postini, but this would have caused a large headache for our users who are still using port 25 for SMTP authentication.

Our solution is to have Exim check the following criteria at time of the RCPT command:

• Is the IP in relay_hosts?
• Is the IP in our new custom table, postini_hosts?
• Is this host/user authenticated?

If the host does not meet any of the above criteria, the RCPT command is rejected with the following message: "relay not permitted, authentication required."

Here's how to accomplish this through WHM.
Go to WHM -> Service Configuration -> Exim Configuration Editor -> Advanced Editor.
Paste in the below changes and click Save.

Note: I open these kinds of files in an external editor, so it's easiest for me to post my changes to the default exim.conf in universal diff format so there's no room for error/confusion.

Code:

--- exim.conf.local.orig      2009-07-31 16:00:24.000000000 -0400
+++ exim.conf.local   2009-07-31 16:39:11.000000000 -0400
@@ -9,6 +9,7 @@
 # DO NOT ALTER THIS BLOCK
 ########################################################################################
 
+
 acl_mail:
 
 # ignore authenticated hosts
@@ -35,6 +36,9 @@
 [% ACL_NOTQUIT_BLOCK %]
 
 
+# lookup table for postini hosts
+postini_hosts = lsearch;/etc/postini_hosts
+
 #!!# ACL that is used after the RCPT command
 check_recipient:
   # Exim 3 had no checking on -bs messages, so for compatibility
@@ -78,9 +82,17 @@
    deny  hosts = ! +senderverifybypass_hosts
         ! verify = sender/callout=60s
 
-  accept  hosts = *
+  #accept  hosts = *
+  #        authenticated = *
+
+# to restrict port 25 to Postini and authenticated users only
+  accept  hosts = +auth_relay_hosts : +relay_hosts : +postini_hosts
+          condition = ${if eq {$interface_port}{25} {yes}{no}}
+          endpass
+          message = relay not permitted, authentication required
           authenticated = *
 
+
   #if they poped before smtp we just accept
   accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
           add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}

That's it. Please let me know if you have any questions.

[meeven]

Thanks for sharing this.

So, what this ACL does is to ensure that mail comes only from Postini server IPs for those using the service while not blocking email for other users who aren't using it?

[michael.a]

Thanks for sharing this.

So, what this ACL does is to ensure that mail comes only from Postini server IPs for those using the service while not blocking email for other users who aren't using it?

Actually, no. Like firewalling off port 25, this is an all or nothing solution. It shouldn't be too hard to modify this for per domain allowance, but since our organization doesn't have a need for this right now, I probably won't make that modification any time soon.

[Spiral]

A couple of weeks ago, I wrote a filter similar to this for a client except that it allows for an individual site enable / disable using a filter whitelist. Those clients who use Postini only allow mail from postini alone and those who don't use postini, don't get filtered and accept all mail or use other processes. It also did similar for a few other mail filter services as well.

This allows you to have both clients who use Postini and clients who do not use Postini on the same server side by side without any negative impact to one another.

Unfortunately, the client was undecided on the implementation and hasn't contacted me back yet about getting the script installed on their server. However, I still have the code I wrote and it might be useful if anyone else has a similar need.

[michael.a]

That sounds great. Would you consider posting the code here? I'm sure a lot of folks would appreciate it.

FWIW, I spent 15 or 20 minutes last night playing around with Exim acl's trying to do the same thing. I ended up with a rule that basically worked, but gave a local configuration error on denial instead of displaying the desired rejection error message.

If you would rather not share your code ( understandable ), I may spend a little more time on it to see if I can get it to work just to do it.

Thanks!

Michael A.

[TexasCellNet]

Exim is not liking the "postini_hosts"

Code:

	
Code:
	
Error message from syntax check:
2010-12-03 06:23:47 Exim configuration error in line 378 of /etc/exim.conf.buildtest.work.k02tYyrAR6Pzl6go:
  error in ACL: unknown ACL condition/modifier in "postini_hosts = lsearch;/etc/postini_hosts"

Failed to save new settings.

Restoring previous configuration.

Where am I going wrong?