domains exim4 email ldap

How to refuse users to send mail

In certain circumstances I have found the need to prevent certain user’s from sending e-mail outside my domain.

These user’s are mainly my kids. Who enjoy sending people e-mail – with addresses they can’t replay to (more later).

The way I have my e-mail setup is that I have a host which collects my e-mails at my domain addresses. And I have a fetchmail process which collects this e-mail and drops it into the appropriate folders

But sending e-mail I chose to go with exim4, I found it the easiest to understand. Which you can take anyway you like!

As I said I’m running a local domain, and one the way out the e-mail addresses are rewritten for the company domain, otherwise the reciever couldn’t reply. This I have setup using LDAP in the schema. I am using the mailRoutingAddress field. Perhaps not what it is intended for, but as I am the admin I can do what I like.
On the way out a e-mail has its from:, reply-to: etc.. fields re-written with this address. I haven’t bothered to rewrite on the way back in, leave that for another project.

Now my kids’s e-mail accounts are just for fun. They don’t have a routing address setup in their accounts. But they still sent e-mails out to people. And when that person received the e-mail, they could not reply as the appropriate fields had not been re-written. So I needed a way to stop the e-mails going out.

They way I looked at it in exim4 is that I needed to write a special router to perform a couple of checks and to fail and produce a message if a user’s mailRoutingAddress could not be found.

This is how I modified the

   debug_print = "R: local only for $local_part@$domain"
   driver = redirect
   domains = !+local_domains
   condition = ${if match_domain{$sender_address_domain}{+local_domains}{yes}{no}}
   data = "${lookup ldap {ldap://localhost/uid=$sender_address_local_part,\
    {:fail: Your account is not allowed to send mail outside of the local network}}"
   redirect_router = next_router
This router is only enabled where the outgoing domain is not one I am looking for. The condition like is perhaps optional here, but it keeps the router from failing if I use a purely virtual e-mail address (I think). It then performs a lookup into LDAP checking for the mailRoutingAddress. If it has a value then the router will redirect to another – a time saving measure as I don’t want to loop through this router again. Or it fails and produces a suitable message.
And that’s it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.