Easy way to have exim redirect the local parts of one domain (i.e., an “alias” domain) to to another without having to create an entry for each user. Means rejection occurs at the primary domain mailserver not your exim server.
domainalias:
driver = redirect
domains = lsearch;CONFDIR/virtual/domainalias
data = ${quote_local_part:$local_part}@${lookup{$domain}lsearch{CONFDIR/virtual/domainalias}}
no_more
Where domainalias is a colon separated list of domain redirects.
Because I don’t have physical control over my filesystem, I like to keep a few sections of it encrypted. It’s pretty easy to do.
Create a blank file of suitable size:
dd if=/dev/urandom of=/var/encrypted_file bs=1M count=100
Mount it as a loopback device:
losetup /dev/loop0 /var/encrypted_file
Encrypt it:
cryptsetup -y create encrypted_file /dev/loop0
Create a filesystem on the encrypted volume:
mkfs.ext3 /dev/mapper/encrypted_file
Then add it to /etc/crypttab and make appropriate entries in /etc/fstab. You’ll need to supply a password at boot to mount the volume, so make sure you have console access.
This is all with the cryptsetup package installed on debian etch.
For the last year or so I thought I had recipient callout verification working on my secondary MX. I was wrong. Turns out the following setup in /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
deny
!acl = acl_whitelist_local_deny
recipients = ${if exists{CONFDIR/local_rcpt_callout}\
{CONFDIR/local_rcpt_callout}\
{}}
!verify = recipient/callout=defer_ok
(with the domains I relay for in /etc/exim/local_rcpt_callout) was allowing anything through because the default exim timeout of 30s was too short for my primary MX to complete the callout, and so, because of the defer_ok option, the failure was treated as success. Fixed it by uping the time to 2m, via
!verify = recipient/callout=2m,defer_ok
Taking defer_ok out would have worked, but that would defeat the purpose of the secondar MX which should accept mail without verification if the primary is actually down.
Powered by WordPress