1

есть Centos 7, стоит extap по умолчанию для exim, мне нужно отправлять почту с моего сервера только на домены test.com и site.com, остальная часть почты с моего сервера должна быть заблокирована

exim config:

SPAMASSASSIN = yes
SPAM_SCORE = 50
CLAMD =  yes
add_environment = <; PATH=/bin:/usr/bin
keep_environment =
disable_ipv6=true
domainlist local_domains = dsearch;/etc/exim/domains/
domainlist relay_to_domains = dsearch;/etc/exim/domains/
hostlist relay_from_hosts = 127.0.0.1
hostlist whitelist = net-iplsearch;/etc/exim/white-blocks.conf
hostlist spammers = net-iplsearch;/etc/exim/spam-blocks.conf
no_local_from_check   
untrusted_set_sender = *
acl_smtp_connect = acl_check_spammers
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
.ifdef SPAMASSASSIN   
spamd_address = 127.0.0.1 783
.endif
.ifdef CLAMD
av_scanner = clamd: /var/run/clamav/clamd.sock
.endif
tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
daemon_smtp_ports = 25 : 465 : 587 : 2525
tls_on_connect_ports = 465
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim/domains/${lc:${domain:$h_from:}}/dkim.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
begin acl
acl_check_spammers:   
  accept  hosts         = +whitelist
  drop    message       = Your host in blacklist on this server.
          log_message   = Host in blacklist
          hosts         = +spammers
  accept
acl_check_mail:
  deny    condition     = ${if eq{$sender_helo_name}{}}
          message       = HELO required before MAIL
  drop    message       = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid
          condition     = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
          condition     = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
          delay         = 45s
  drop    condition     = ${if isip{$sender_helo_name}}
          message       = Access denied - Invalid HELO name (See RFC2821 4.1.3)
  drop    condition     = ${if eq{[$interface_address]}{$sender_helo_name}}
          message       = $interface_address is _my_ address
  accept
acl_check_rcpt:
  accept  hosts         = :
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  require verify        = sender
  accept  hosts         = +relay_from_hosts
          control       = submission
  accept  authenticated = *
          control       = submission/domain=
  deny    message       = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          hosts         = !+whitelist
          dnslists      = ${readfile {/etc/exim/dnsbl.conf}{:}}
  require message       = relay not permitted
          domains       = +local_domains : +relay_to_domains
  deny    message       = smtp auth requried
         sender_domains = +local_domains
         !authenticated = *
  require verify        = recipient
.ifdef CLAMD
  warn    set acl_m0    = no
  warn    condition     = ${if exists {/etc/exim/domains/$domain/antivirus}{yes}{no}}
          set acl_m0    = yes
.endif
.ifdef SPAMASSASSIN   
  warn    set acl_m1    = no
  warn    condition     = ${if exists {/etc/exim/domains/$domain/antispam}{yes}{no}}
          set acl_m1    = yes
.endif
  accept
acl_check_data:
.ifdef CLAMD
  deny   message        = Message contains a virus ($malware_name) and has been rejected
         malware        = *
         condition      = ${if eq{$acl_m0}{yes}{yes}{no}}
.endif
.ifdef SPAMASSASSIN   
  warn   !authenticated = *
         hosts          = !+relay_from_hosts
         condition      = ${if < {$message_size}{100K}}
         condition      = ${if eq{$acl_m1}{yes}{yes}{no}}
         spam           = spamd:true/defer_ok
         add_header     = X-Spam-Score: $spam_score_int
         add_header     = X-Spam-Bar: $spam_bar
         add_header     = X-Spam-Report: $spam_report
         set acl_m2     = $spam_score_int
  warn   condition      = ${if !eq{$acl_m2}{} {yes}{no}}
         condition      = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
         add_header     = X-Spam-Status: Yes
         message        = SpamAssassin detected spam (from $sender_address to $recipients).
.endif
  accept
acl_check_mime:
  deny   message        = Blacklisted file extension detected
         condition      = ${if match {${lc:$mime_filename}}{\N(\.ade|\.adp|\.bat|\.chm|\.cmd|\.com|\.cpl|\.exe|\.hta|\.ins|\.isp|\.jse|\.lib|\.lnk|\.mde|\.msc|\.msp|\.mst|\.pif|\.scr|\.sct|\.shb|\.sys|\.vb|\.vbe|\.vbs|\.vxd|\.wsc|\.wsf|\.wsh)$\N}{1}{0}}
  accept
begin authenticators  
dovecot_plain:
  driver = dovecot
  public_name = PLAIN 
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
dovecot_login:
  driver = dovecot
  public_name = LOGIN 
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
begin routers
dnslookup:
  driver = dnslookup  
  domains = *
  transport = remote_smtp
  no_more
userforward:
  driver = redirect   
  check_local_user
  file = $home/.forward
  allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
procmail:
  driver = accept
  check_local_user
  require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
  transport = procmail
  no_verify
autoreplay:
  driver = accept
  require_files = /etc/exim/domains/$domain/autoreply.${local_part}.msg
  condition = ${if exists{/etc/exim/domains/$domain/autoreply.${local_part}.msg}{yes}{no}}
  retry_use_local_part
  transport = userautoreply
  unseen
aliases:
  driver = redirect   
  headers_add = X-redirected: yes
  data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/domains/$domain/aliases}}}}
  require_files = /etc/exim/domains/$domain/aliases
  redirect_router = dnslookup
  pipe_transport = address_pipe
  unseen
localuser_fwd_only:   
  driver = accept
  transport = devnull 
  condition = ${if exists{/etc/exim/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/fwd_only}{true}{false}}}}
localuser_spam:
  driver = accept
  transport = local_spam_delivery
  condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}{yes}{no_such_user}}}}
localuser:
  driver = accept
  transport = local_delivery
  condition = ${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}{true}{false}}
catchall:
  driver = redirect   
  headers_add = X-redirected: yes
  require_files = /etc/exim/domains/$domain/aliases
  data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim/domains/$domain/aliases}}}}
  file_transport = local_delivery
  redirect_router = dnslookup
terminate_alias:
  driver = accept
  transport = devnull 
  condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/domains/$domain/aliases}{true}{false}}
begin transports
remote_smtp:
  driver = smtp
  #helo_data = $sender_address_domain
  dkim_domain = DKIM_DOMAIN
  dkim_selector = mail
  dkim_private_key = DKIM_PRIVATE_KEY
  dkim_canon = relaxed
  dkim_strict = 0
procmail:
  driver = pipe
  command = "/usr/bin/procmail -d $local_part"
  return_path_add
  delivery_date_add   
  envelope_to_add
  user = $local_part  
  initgroups
  return_output
local_delivery:
  driver = appendfile 
  maildir_format
  maildir_use_size_file
  user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}
  group = mail
  create_directory
  directory_mode = 770
  mode = 660
  use_lockfile = no   
  delivery_date_add   
  envelope_to_add
  return_path_add
  directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}/mail/$domain/$local_part"
  quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}M
  quota_warn_threshold = 75%
local_spam_delivery:  
  driver = appendfile 
  maildir_format
  maildir_use_size_file
  user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}
  group = mail
  create_directory
  directory_mode = 770
  mode = 660
  use_lockfile = no   
  delivery_date_add   
  envelope_to_add
  return_path_add
  directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}/mail/$domain/$local_part/.Spam"
  quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}M
  quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim/domains/$domain/passwd}}}}/mail/$domain/$local_part"
  quota_warn_threshold = 75%
address_pipe:
  driver = pipe
  return_output
address_file:
  driver = appendfile 
  delivery_date_add   
  envelope_to_add
  return_path_add
address_reply:
  driver = autoreply  
userautoreply:
  driver = autoreply  
  file = /etc/exim/domains/$domain/autoreply.${local_part}.msg
  from = "${local_part}@${domain}"
  headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
  subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
  to = "${sender_address}"
devnull:
  driver = appendfile 
  file = /dev/null
begin retry
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite

добавлен в основной конфиг /etc/exim/exim.conf сразу после начала работы роутеров, т.е. я так и сделал

begin routers

check_outgoing_from_header:
    driver = redirect
    domains = ! +local_domains
    condition = ${if !match {$header_from:}{$sender_address}}
    allow_fail
    data = :fail: You can not send mail from here with From: $header_from as sender: $sender_address

check_outgoing:
    driver = redirect
    domains = ! +local_domains
    senders = ! : ! *@lsearch;/etc/exim/allowed_domains : ! lsearch;/etc/exim/allowed_mails
    allow_fail
    data = :fail: You can not send mail from this mailbox from this server.

хорошо, в файлах allow_domains и allow_mails добавлены домены, на которые можно отправлять почту, в файле allow_domain зарегистрирован test.com, файл allow_miles пуст

проверено через exim -d + all -bt test@test.com

exim -d+all -bt test@test.com
11:58:30 30782 Exim version 4.89 uid=0 gid=0 pid=30782 D=fffdffff
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 nisplus passwd sq
lite
Authenticators: cram_md5 cyrus_sasl dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0  
Configure owner: 0:0  
Size of off_t: 8
Compiler: GCC [4.8.5 20150623 (Red Hat 4.8.5-16)]
Library version: Glibc: Compile: 2.17
                        Runtime: 2.17
Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips  26 Jan 2017
                          Runtime: OpenSSL 1.0.2k-fips  26 Jan 2017
                                 : built on: reproducible build, date unspecified
Library version: Cyrus SASL: Compile: 2.1.26
                             Runtime: 2.1.26 [Cyrus SASL]
Library version: GNU SASL: Compile: 1.8.0
                           Runtime: 1.8.0
Library version: PCRE: Compile: 8.32
                       Runtime: 8.32 2012-11-30
11:58:30 30782 Loading lookup modules from /usr/lib64/exim/4.89-2.el7/lookups
11:58:30 30782 Loaded 0 lookup modules
11:58:30 30782 Total 18 lookups
Library version: SQLite: Compile: 3.7.17
                         Runtime: 3.7.17
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST: "/etc/exim/trusted-configs"
11:58:30 30782 changed uid/gid: forcing real = effective
11:58:30 30782   uid=0 gid=0 pid=30782
11:58:30 30782   auxiliary group list: <none>
11:58:30 30782 seeking password data for user "root": cache not available
11:58:30 30782 getpwnam() succeeded uid=0 gid=0
11:58:30 30783 changed uid/gid: calling tls_validate_require_cipher
11:58:30 30783   uid=93 gid=93 pid=30783
11:58:30 30783   auxiliary group list: <none>
11:58:30 30782 tls_validate_require_cipher child 30783 ended: status=0x0
11:58:30 30782 configuration file is /etc/exim/exim.conf
11:58:30 30782 log selectors = 00000ffc 06320202
11:58:30 30782 trusted user
11:58:30 30782 admin user
11:58:30 30782 DSN: check_outgoing_from_header propagating DSN
11:58:30 30782 DSN: check_outgoing propagating DSN
11:58:30 30782 DSN: dnslookup propagating DSN
11:58:30 30782 DSN: userforward propagating DSN
11:58:30 30782 DSN: procmail propagating DSN
11:58:30 30782 DSN: autoreplay propagating DSN
11:58:30 30782 DSN: aliases propagating DSN
11:58:30 30782 DSN: localuser_fwd_only propagating DSN
11:58:30 30782 DSN: localuser_spam propagating DSN
11:58:30 30782 DSN: localuser propagating DSN
11:58:30 30782 DSN: catchall propagating DSN
11:58:30 30782 DSN: terminate_alias propagating DSN
11:58:30 30782 originator: uid=0 gid=0 login=root name=root
11:58:30 30782 sender address = root@dev.test.com
11:58:30 30782 Address testing: uid=0 gid=93 euid=0 egid=93
11:58:30 30782 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
11:58:30 30782 Testing test@test.com
11:58:30 30782 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
11:58:30 30782 Considering test@test.com
11:58:30 30782 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
11:58:30 30782 routing test@test.com
11:58:30 30782 --------> check_outgoing_from_header router <--------
11:58:30 30782 local_part=dg domain=test.com
11:58:30 30782 checking domains
11:58:30 30782 search_open: dsearch "/etc/exim/domains/"
11:58:30 30782 search_find: file="/etc/exim/domains/"
11:58:30 30782   key="test.com" partial=-1 affix=NULL starflags=0
11:58:30 30782 LRU list:
11:58:30 30782   5/etc/exim/domains/
11:58:30 30782   End  
11:58:30 30782 internal_search_find: file="/etc/exim/domains/"
11:58:30 30782   type=dsearch key="test.com"
11:58:30 30782 file lookup required for test.com
11:58:30 30782   in /etc/exim/domains/
11:58:30 30782 lookup failed
11:58:30 30782 test.com in "dsearch;/etc/exim/domains/"? no (end of list)
11:58:30 30782 test.com in "! +local_domains"? yes (end of list)
11:58:30 30782 checking "condition" "${if !match {$header_from:}{$sender_address}}"...
 11:58:30 30782 /considering: ${if !match {$header_from:}{$sender_address}}
  11:58:30 30782 /considering: $header_from:}{$sender_address}}
  11:58:30 30782 |__expanding: $header_from:
  11:58:30 30782 \_____result:
  11:58:30 30782 /considering: $sender_address}}
  11:58:30 30782 |__expanding: $sender_address
  11:58:30 30782 \_____result: root@dev.test.com
 11:58:30 30782 |__condition: !match {$header_from:}{$sender_address}
 11:58:30 30782 |_____result: true
 11:58:30 30782 |__expanding: ${if !match {$header_from:}{$sender_address}}
 11:58:30 30782 \_____result: true
11:58:30 30782 calling check_outgoing_from_header router
11:58:30 30782 rda_interpret (string): :fail: You can not send mail from here with From: $header_from as sender: $sender_address
 11:58:30 30782 /considering: :fail: You can not send mail from here with From: $header_from as sender: $sender_address
 11:58:30 30782 |__expanding: :fail: You can not send mail from here with From: $header_from as sender: $sender_address
 11:58:30 30782 \_____result: :fail: You can not send mail from here with From:  as sender: root@dev.test.com
11:58:30 30782 expanded: :fail: You can not send mail from here with From:  as sender: root@dev.test.com
11:58:30 30782 file is not a filter file
11:58:30 30782 parse_forward_list: :fail: You can not send mail from here with From:  as sender: root@dev.test.com
11:58:30 30782 extract item: :fail: You can not send mail from here with From:  as sender: root@dev.test.com
11:58:30 30782 check_outgoing_from_header router forced address failure
test@test.com is undeliverable: You can not send mail from here with From:  as sender: root@dev.test.com
11:58:30 30782 search_tidyup called
11:58:30 30782 >>>>>>>>>>>>>>>> Exim pid=30782 terminating with rc=2 >>>>>>>>>>>>>>>>

как мне исправить правила запуска маршрутизаторов или мне следует написать другие правила, может быть, acl?

0