Mailing List Archive

Choosing the outbound IP address according to a Database query.
Exim version 4.89 #1 built 05-Oct-2017 13:48:15 (Linux Gentoo)

Problem: I have users either with weak passwords or whom give away their
passwords...

Result: Spammers have their "information" so can use my relay mail
server to send spam on my clients behalf to many other people. If it
bounces - then the client has a full mail box quite quickly. Worse - the
IP address of the machine gets blacklisted. This then affects many other
clients.

The machine is for Mail Submission - so it can have a common "inbound"
interface for my clients - and just needs a specific outbound IP address.

I have a fair number of IP addresses. I'd like to have a pool of
interfaces - each with their own IP address. My users details are all
stored in a database table so I could also add an IP address there, the
one that this particular client should use when my EXIM sends out their
e-mail. If that IP address becomes blacklisted - it would then affect a
much smaller percentage of my users. I could then have one IP address
per group of customers!

In exim.conf - I've used:

# Interfaces That Exim Listens on
local_interfaces = <; 127.0.0.1 ;    ::1 ; \
                      192.111.222.1 ;  2001:1234:abcd:5678::1 ; \
                      192.111.222.2 ;  2001:1234:abcd:5678::2 ; \
                      192.111.222.3 ;  2001:1234:abcd:5678::3

(fake numbers)

I assume one could assign a particular IP address for outbound?


I already look the user up - e.g. on a different machine that receives
inbound e-mails:-

  # quota = 30M
  quota = ${lookup mysql {select mail_quota from user_table where
user='${local_part}@${domain}'}}M

...so guess I could fetch an IP address - or easier would be the last
part of an IP address...

In Transports - I have something like:-

begin transports

# This transport is used for delivering messages over SMTP connections.
remote_smtp:
  driver = smtp
  dnssec_request_domains = *
  hosts_try_dane = *
  return_path = ${address:$reply_address}
  interface = <; 192.111.222.1 ; 2001:1234:abcd:5678::1

So could the "interface =" part be changed to receive the result of a
MySQL query?
Can I pop a value into a variable - and use that? - otherwise I'll be
doing two lookups, one for IPv4 and one for IPv6...

interface = <; 192.111.222.${lookup mysql {select mail_ip from
user_table where user='${local_part}@${domain}'}} ;
2001:1234:abcd:5678::${lookup mysql {select mail_ip from user_table
where user='${local_part}@${domain}'}}


Anyone done this before?

--
Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Choosing the outbound IP address according to a Database query. [ In reply to ]
On Mon, 12 Mar 2018, Mark Elkins via Exim-users wrote:

> The machine is for Mail Submission - so it can have a common "inbound"
> interface for my clients - and just needs a specific outbound IP address.
>
> I have a fair number of IP addresses. I'd like to have a pool of
> interfaces - each with their own IP address. My users details are all
> stored in a database table so I could also add an IP address there, the
> one that this particular client should use when my EXIM sends out their
> e-mail. If that IP address becomes blacklisted - it would then affect a
> much smaller percentage of my users. I could then have one IP address
> per group of customers!
>
> In exim.conf - I've used:
>
> # Interfaces That Exim Listens on
> local_interfaces = <; 127.0.0.1 ;    ::1 ; \
>                       192.111.222.1 ;  2001:1234:abcd:5678::1 ; \
>                       192.111.222.2 ;  2001:1234:abcd:5678::2 ; \
>                       192.111.222.3 ;  2001:1234:abcd:5678::3
>
> (fake numbers)
>
> I assume one could assign a particular IP address for outbound?

I don't know the current position, but in 2011 Spamhaus was blacklisting
IPv6 addresses in /64 blocks
https://www.spamhaus.org/organization/statement/012/spamhaus-ipv6-blocklists-strategy-statement
so I don't know whether your pool of addresses will protect your clients
as well as you hope.

--
Andrew C. Aitchison Cambridge, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Choosing the outbound IP address according to a Database query. [ In reply to ]
> From: Mark Elkins

> Problem: I have users either with weak passwords or whom give away their
> passwords...
>
> Result: Spammers have their "information" so can use my relay mail
> server to send spam on my clients behalf to many other people. If it
> bounces - then the client has a full mail box quite quickly. Worse - the
> IP address of the machine gets blacklisted.

Use this: https://github.com/Exim/exim/wiki/BlockCracking

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Choosing the outbound IP address according to a Database query. [ In reply to ]
> In Transports - I have something like:-
>
> begin transports
>
> # This transport is used for delivering messages over SMTP connections.
> remote_smtp:
>   driver = smtp
>   dnssec_request_domains = *
>   hosts_try_dane = *
>   return_path = ${address:$reply_address}
>   interface = <; 192.111.222.1 ; 2001:1234:abcd:5678::1
>
> So could the "interface =" part be changed to receive the result of a
> MySQL query?
> Can I pop a value into a variable - and use that? - otherwise I'll be
> doing two lookups, one for IPv4 and one for IPv6...

The transport 'interface =' is string-expanded, so you can use anything
here that you can use as a normal string expansion, including MySQL
queries. We have some Exim servers with a relatively complex set of
conditions here (although we don't use MySQL lookups) and it works fine.

You may also find it more convenient to set this information up
earlier, for example in an ACL (as a message ACL variable) or during
routing (eg in $address_data), and then simply use it in the transport,
rather than looking it up every time in the transport.

- cks

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Choosing the outbound IP address according to a Database query. [ In reply to ]
On 2018-03-12, Mark Elkins via Exim-users <exim-users@exim.org> wrote:
> Exim version 4.89 #1 built 05-Oct-2017 13:48:15 (Linux Gentoo)
>
> # Interfaces That Exim Listens on
> local_interfaces = <; 127.0.0.1 ;    ::1 ; \
>                       192.111.222.1 ;  2001:1234:abcd:5678::1 ; \
>                       192.111.222.2 ;  2001:1234:abcd:5678::2 ; \
>                       192.111.222.3 ;  2001:1234:abcd:5678::3
>
> I assume one could assign a particular IP address for outbound?
>
> So could the "interface =" part be changed to receive the result of a
> MySQL query?
> Can I pop a value into a variable - and use that? - otherwise I'll be
> doing two lookups, one for IPv4 and one for IPv6...

you can use an $acl_m_... variable there or a lookup.

> Anyone done this before?

I have (several years ago) and had a bad experience, but I think the
bugs I discovered have now been fixed.

--
This email has not been checked by half-arsed antivirus software

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/