Exim smart relay + verification?

[beddo]

Hi there,
I've been using exim smart relays with these for a while:

Code:

static_route:
 driver = manualroute
 transport = remote_smtp_smart
 route_data = ${lookup{$domain}lsearch{/etc/staticroutes}}

remote_smtp_smart:
  driver = smtp
  port = 25
  hosts = ${lookup{$domain}lsearch{/etc/staticroutes}}
  hosts_override

This works wonderfully for a lot of our clients and cuts the spam load massively with the spam setup we have. The only limitation that is fairly obvious with this setup is that exim will accept mail for accounts that don't exist on the destination server and it will sit in the queue until it expires.

Then I got to thinking. The Cpanel/exim implementation supports sender verification callouts for incoming mail. Surely there must be some way to adapt a similar feature and have exim do a lookup on the destination server before accepting the mail.

I'm going to have a look and see if I can figure anything out myself but I have no idea where this would even start so if anyone has any pointers or has tried in the past I'd like to know what you came up with or what stopped you.

Cheers.

[beddo]

After many hours banging my head against a brick wall (not helped by a malfunctioning Exchange server used for testing) I have solved this myself.

The solution is to look for the following section in the check_recipient ACL:

Code:

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient

After it, put in the following:

Code:

  warn
    condition = ${if eq {1}{${lookup{$domain}lsearch{/etc/staticroutes}{1}{0}}}}
    add_header = X_Staticroutes: TRUE
    require verify = recipient/callout=use_sender

Looks so simple. I don't think you actually need the add_header line but that won't cause any problems. I recommend this for everyone who is using staticroutes as it stops those rejected dictionary attacks from clogging up the mail queues. (Make sure you thoroughly test it out first though and don't blame me if anything goes wrong - it works for me!).

[gstevens]

Just wondering if anyone has tested beddo's method? Any performance problems?

I am debating between using this, or a static file which specifies which users to forward for as described at smart router with verification

Thanks!

[beddo]

I can't speak for anyone else but this has worked wonders for me. If you manage one or two remote servers then maintaining your own userfile should be manageable but I can't even begin to think of how complicated it would for us.

We have 58 domains set up using staticroutes. Previously at any one time I would have between 300 and 600 mails sat in the exim queue because they couldn't be delivered to the destination and they couldn't go back to a fake from address. That doesn't include the ones that did go back to fake from addresses.

Since implementing the change, I've yet to see more than 10 messages in the queue when I log on.

To give you an idea of the mail load on my server, my mainlog files contain an average of 135,269 lines over the past 30 days with a minimum of 77,979 (Weekend) and a maximum of 171,920.

I've looked at a few particular messages that would have gone through the verification process. They are all delivered either with the exact same timestamp or have 1 second difference. I don't appear to be experiencing any performance hits at all with this setup.