Bug#400790: exim4-config: Reject mail to system users from non-local sources

[Marc Haber]

tags #400790 confirmed
thanks

On Tue, Dec 12, 2006 at 09:29:37AM +0100, Marc Haber wrote:
> On Mon, Dec 11, 2006 at 10:18:32PM +0000, Dominic Hargreaves wrote:
> >  Also assuming that you will leave locally-submitted mail deliverable
> >  always, too.
> 
> That'll probably be a challenge and will make configuration ugly.
> 
> > Possibly a better file name is needed; "aliases" implies that it might
> > be a file containing alias expansions, whereas really it is just a list
> > of local parts. "/etc/low-uid-addresses" maybe.
> 
> I'd like to have it as an alias file, with right hand parts. So, if
> you want a real local delivery to happen, just alias an account to
> itself. But I have not really thought about that yet.

Here is what I currently have:

### router/250_exim4-config_lowuid
#################################

.ifndef FIRST_USER_UID
FIRST_USER_UID = 0
.endif

COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
               ${if and{{! match_ip{$sender_host_address}{:@[]}}\
                        {<{$local_user_uid}{FIRST_USER_UID}}}\
                    {1}{0}\
		}"

lowuid_aliases:
  debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
  check_local_user
  driver = redirect
  allow_fail
  domains = +local_domains
  condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
  data = "${if exists{/etc/exim4/lowuid-aliases}\
             {${lookup{$local_part}lsearch{/etc/exim4/lowuid-aliases}}}\
	     fail}"
  redirect_router = lowuid_target

lowuid_reject:
  debug_print = "R: lowuid_reject for $local_part@$domain (UID $local_user_uid)"
  check_local_user
  driver = redirect
  allow_fail
  domains = +local_domains
  condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
  data = ":fail: no mail to system accounts"

lowuid_target:
  condition = 0
  driver = redirect
  data = ":fail:"

To enable, one just needs to set FIRST_USER_UID to any non-zero value.

I am not quite happy with this solution as the need for three routers
is somewhat ugly, but I'll commit it this way in case upstream
exim-users does not come up with a more elegant solution.

I'd like to hear your comments.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835