Suppose you want to reject certain emails based on some aspect of their content at SMTP time, but some of your users object to this policy. Ideally, you want to let the emails through to just those users, but in general this isn't possible - a message may come with multiple RCPT TOs, some of whom want to receive it and some of whom don't, but you can only decide to reject individual recipients (as opposed to the whole message) at RCPT TO time, not after the DATA is received; but until DATA you don't know whether the content is nasty or not.

One possible option is to only reject the email if *every* recipient has agreed to the content filtering. Here's one way of doing this in Exim 4:

You need to add things to two different ACLs; the one used on RCPT TO, and the one used on DATA. The general idea is that we use a variable that gets reset for each message, and if we get a RCPT TO someone who wants the check turned off then we set the variable to "no" (it doesn't actually matter what value we pick), and finally in DATA we use whether the variable is set or not as a condition about whether to apply the check or not.

In the RCPT TO ACL, add the following at the top:

  warn    recipients = iwantviruses@yourdomain:ialsowantviruses@yourdomain
          set acl_m0 = no

Finally, in the DATA ACL, before any accept lines (this check obviously isn't a serious one, it's just an example):

  deny    condition = ${if def:acl_m0{no}{yes}}
          condition = ${if def:header_x-nastyevilvirus:{yes}{no}}
          message = nasty evil virus

If you have several different checks you want to perform, then repeat this lot using a new ACL variable. You have from $acl_m0 to $acl_m9 to play with.


TheEarthWiki: EximIntersectionACLs (last edited 2008-02-19 15:39:16 by localhost)