# Allow exim to only send emails to 3 recipients, bounce rest

## inn3rpece

Hi,

A server of mine got hacked recently due to the well known vunerabitity an unpatched exim v4.69. Needless to say I've convinced by manager to allow me to:

1) Install a firewall

2) Mitigate brute-force attacks on ftp and ssh (denyhosts and fail2ban [for pureftpd] )

Now I would like to configure exim so that it will only send email to either of the following remote mailboxes :

1] user@domain.com

2] user@domain2.com

3] user@domain3.com

Is this possible? Postfix is my MTA of choice and this is the first time that I've needed to change it's configuration files.

thank you

----------

## gerdesj

[edit - not sure why my code blocks have gone a bit mad - I assume something to do with whisky brought in by the "Flying Scotsman"]

Exim can do pretty much anything to email that you ask of it  However you don't show any of your config or many other things.  

In your example you show one user name - the bit before the @ and three domains.

In the global section - the bit before you use any line with a : on the end you define a domain list

```

domainlist my_three_domains = domain.com : \

                                               domain2 : \

                                               domain3

```

The simplest way I can think of do do your requirement is to use the acl_smtp_rcpt.  This has the added bonus of allowing you to drop mail early in the smtp conversation.  

Somewhere in your configuration you should have a list of acls, one of which sets something like this:

```

acl_smtp_rcpt  = acl_check_rcpt

```

The acl for acl_smtp_rcpt is called acl_check_rcpt - I think this is in the default config and is a bit confusing when you are getting to grips with Exim.  The ACL is called acl_smtp_rcpt and the definition that you use is called acl_check_rcpt. I'm not sure I've really helped here but I hope you get it!

Having given the acl a name there should be various rules that are carried out at the point when a sending system has said "RCPT TO: <email_addess>".  Under teh begin acl: section you should have a section for your RCPT ACL.  Now you want to drop all mail apart from those three addresses, so you might as well set that first.

```

acl_check_rcpt:

  accept local_parts = user

         domains = +my_three_domains

  drop local_parts = !user

         domains = +my_three_domains

```

I've typed this lot in as I've thought about it, also I don't know the rest of your set up but it should get you on track for what you want.  

I can recommend a few other things if you are not already using them, these should be literally copy 'n' paste.  Define the ACL name (first block) and then set the ACL (second block).  This will enable DNS RBLs which you might find handy:

Define the acl names:

```

acl_smtp_connect                = acl_check_connect

acl_smtp_helo                   = acl_check_helo

```

Define the acls:

[code]

acl_check_connect:

  drop    message               = BLL002_M

          log_message           = BLL002_LM

          dnslists              = zen.spamhaus.org

          delay                 = 5s

  drop    message               = BLL002_M

          log_message           = BLL002_LM (Blacklist)

          dnslists              = hostkarma.junkemailfilter.com=127.0.0.2

          delay                 = 5s

  warn    log_message           = BLL0013_LM (Yellowlist)

          dnslists              = hostkarma.junkemailfilter.com=127.0.0.3

  warn    log_message           = BLL0013_LM (Whitelist)

          dnslists              = hostkarma.junkemailfilter.com=127.0.0.1          

  accept  delay                 = 5s

acl_check_helo:

  drop    message               = BLL003_M

          log_message           = BLL003_LM

          condition             = ${if match{$sender_helo_name}{$primary_hostname}}

  deny    message               = BLL001_M

          log_message           = BLL001_LM

          condition             = ${if isip {$sender_helo_name}{true}{false}}

          delay                 = 2s

  accept

[code]

In the above there are some weird looking BLLnnn_ things.  These are macros which are text strings to be replaced.  At the top of your config define your macros like this:

[code]

BLL001_M     = Not accepting this mail

BLL001_LM    = BLL001 $sender_host_address used IP address in HELO/EHLO greeting

[/code]

The BLL thing is one of my company internal standards.  You can use any old string.  The M means message and LM means log message which strangely enough is where you will see them.  The message is what the other end will get and probably end up in one of those screwed up Exchange NDR things.

Finally, get ClamAV n Spam Assassin in there as well.  I have a recipe but that's another question  :Cool: [/code]

Hope this lot helps

Cheers

Jon

----------

## inn3rpece

Hi gerdesj

Apologies for the late reply..

Thank you very much for this, it's worked 100%. I understand basically how exim config works now, i've been reading the config for ~ 2 days now.

One thing, I noticed that this works except when a website on the same server sends out an email via a contact form. It seems that there is a rule that accepts this email before it gets to the checks you sent me. I'm sure i'll be identify what's stopping this.

Thanks,

----------

## gerdesj

 *inn3rpece wrote:*   

> Hi gerdesj
> 
> Apologies for the late reply..
> 
> Thank you very much for this, it's worked 100%. I understand basically how exim config works now, i've been reading the config for ~ 2 days now.
> ...

 

Great stuff, glad that helped.  Make sure that the RCPT acl does not have any other rules before the check for the usernames.  

The ACLs are tested in order (connect, helo, rcpt etc etc) and a mail or mail system's properties have to get it through each one before the mail gets to the routers and then the transports.  Its a powerful system but can be a bit intimidating.  

Testing by using exim -bhc <ip address>  is a great way to see what is happening.  Search these forums on my name and exim and you should find a post where I described this fairly recently.

The only other explanation I can think of might be that the website may not be relaying through Exim.  Check the logs!

Cheers

Jon

----------

