[Contrib] PHP mail filter script for Exim MTA
Hi all, Finally, I've managed to make a filter to do what I really wanted. I'm on a Linux platform using CPanel server, that uses Exim MTA. Procmail and all won't work, so my best bet was to make an Exim filter, but I was too lazy to learn that, and mess up the Exim config... So I decided to make a PHP filter script that receives the mailpipe from Exim and then decide what to do with it. For me, I wanted that only valid customer users that has been created to be able to send in requests via e-mail. I don't want other people mailing support helpdesk and especially not SPAM! :p So I made Exim pipe the mail data into my PHP script, and let me PHP script queries the OTRS mysql database for a valid user in the database for that mail sender. If found, the mail will then be piped to PostMaster.pl, if not, it is discarded. Well, at least it solved my spam issue :p I've attached the script with sufficient information inside on how to use... You can always e-mail me or reply to this topic on the mailing list (grr, I hate mailing lists! Prefer forums!) if you need help to use it or customise it.. I'll try my best... Since I'm on 2 months break :p Best regards, Au Yong
On Wednesday, November 05, 2003 11:07 AM
Au Yong Tien Chee
Finally, I've managed to make a filter to do what I really wanted. I'm on a Linux platform using CPanel server, that uses Exim MTA. Procmail and all won't work, so my best bet was to make an Exim filter, but I was too lazy to learn that, and mess up the Exim config...
As you seem to use a quite simple form of parsing for the sender's address in your php script, you'd better depend on exim's capabilities here. For sure exim has to be compiled with MySQL support (./configure --with-mysql) for this. In other words: Use exim, if you can. Here it goes: Add this line somewhere in the beginning of your exim's config file, before any 'begin': hide mysql_servers = hostname/otrs/username/password Or, if you'd like to use un*x sockets on the local machine, this would be enough instead: hide mysql_servers = /otrs/username/password We protect the sensitive username/password data by using 'hide' when non-admins issue a 'exim -bP' on the command line for increased security. Do not omit it. Create an acl statement in the acl_check_rcpt section: accept recipients = otrs-support-email@example.com endpass senders = : mysql;\ select email from customer_user where \ email='${quote_mysql:$sender_address}' message = Sorry, you are not authorized \ to use our OTRS support system. The statement is best copy'n'pasted due to its simplicity ;) and should be placed after the line that says require verify = sender and therefore before the one that checks for a valid local recipient, which would accept the mails before we could get a chance check the sender. So, the order of ACL statements matters! What does it do? It first checks if the recipient's address of the message exim is looking at matches the email address your OTRS system uses. If it doesn't, the message is not designated for OTRS and control is passed onto the next acl statement and processing of the email takes place as regular. In a mail sent to otrs-support-email@example.com, the sender (if not empty, to catch bounce messages) is checked against the OTRS datababe. If this check fails, we write an explanatory SMTP message to the sender's log file and exim denies the mail, closing the connection automagically. Else it accepts the message and delivers it to the OTRS mailbox from which you can pull it with PostMasterPOP3.pl. Beware, I didn't test the above thoroughly, but derived it from my config, which uses LDAP for a similar purpose, so it should work. Feel free to post any erratic output of exim, see main_log and panic_log for these. hth, Robert Kehl PS: Contact the OTRS GmbH (see below) if you need help with configuring your exim more deeply. We love exim. -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388
Robert...
Funny, when I first inquired about this sometime back, nobody seem to know
or give a hoot..
Anyway, I did the PHP script due to not wanting to mess up the exim config.
Is it possible for me to setup the config elsewhere (like a Exim filter
.forward?) coz I really don't want to mess up the main config file. Please
advise.
Additionally, I didn't want to send back a reply to the non-valid users, for
the fear of spam mails...
Best regards,
Au Yong
-----Original Message-----
From: Robert Kehl [mailto:robert.kehl@otrs.de]
Sent: Thursday, November 06, 2003 7:53 PM
To: User questions and discussions about OTRS.
Subject: [otrs] [Contrib] ACL mail filter script for Exim MTA
On Wednesday, November 05, 2003 11:07 AM Au Yong Tien Chee
Finally, I've managed to make a filter to do what I really wanted. I'm on a Linux platform using CPanel server, that uses Exim MTA. Procmail and all won't work, so my best bet was to make an Exim filter, but I was too lazy to learn that, and mess up the Exim config...
As you seem to use a quite simple form of parsing for the sender's address in your php script, you'd better depend on exim's capabilities here. For sure exim has to be compiled with MySQL support (./configure --with-mysql) for this. In other words: Use exim, if you can. Here it goes: Add this line somewhere in the beginning of your exim's config file, before any 'begin': hide mysql_servers = hostname/otrs/username/password Or, if you'd like to use un*x sockets on the local machine, this would be enough instead: hide mysql_servers = /otrs/username/password We protect the sensitive username/password data by using 'hide' when non-admins issue a 'exim -bP' on the command line for increased security. Do not omit it. Create an acl statement in the acl_check_rcpt section: accept recipients = otrs-support-email@example.com endpass senders = : mysql;\ select email from customer_user where \ email='${quote_mysql:$sender_address}' message = Sorry, you are not authorized \ to use our OTRS support system. The statement is best copy'n'pasted due to its simplicity ;) and should be placed after the line that says require verify = sender and therefore before the one that checks for a valid local recipient, which would accept the mails before we could get a chance check the sender. So, the order of ACL statements matters! What does it do? It first checks if the recipient's address of the message exim is looking at matches the email address your OTRS system uses. If it doesn't, the message is not designated for OTRS and control is passed onto the next acl statement and processing of the email takes place as regular. In a mail sent to otrs-support-email@example.com, the sender (if not empty, to catch bounce messages) is checked against the OTRS datababe. If this check fails, we write an explanatory SMTP message to the sender's log file and exim denies the mail, closing the connection automagically. Else it accepts the message and delivers it to the OTRS mailbox from which you can pull it with PostMasterPOP3.pl. Beware, I didn't test the above thoroughly, but derived it from my config, which uses LDAP for a similar purpose, so it should work. Feel free to post any erratic output of exim, see main_log and panic_log for these. hth, Robert Kehl PS: Contact the OTRS GmbH (see below) if you need help with configuring your exim more deeply. We love exim. -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388 _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/
On Thursday, November 06, 2003 1:04 PM
Au Yong Tien Chee
Anyway, I did the PHP script due to not wanting to mess up the exim = config.
You can safely test a new exim config with the -C option.
Is it possible for me to setup the config elsewhere (like a Exim filter .forward?) coz I really don't want to mess up the main config file. = Please advise. Additionally, I didn't want to send back a reply to the non-valid users, for the fear of spam mails...
In fact, you're not sending back a reply, but tell exim to output an error message during the existing SMTP session and then close the connection to the remote server. You must give any text, and giving an explanatory message will help your customers when they use another email address not in your database, for instance. If you omit the proposed message, a default would be used saying something similar, but not mentioning OTRS of course. Most likely spammers will try to send their messages over and over again until some sunny day your address vanishes from their lists due to subsequent transmission failures. But don't bother if they do not give up (perhaps they don't get to know it): You do not waste a big amount of resources using this solution, because you (drums!) do not even receive the message itself! Good dog exim rejects the SMTP session after determining the faulty sender/recepient pair, the DATA part, ie. the mail's real contents were still to come. Using exim's ACL configuration is currently the only way to prevent unwanted messages from even being received, thus putting a short end on the line ;) Takes a lot of load from a heavy used server, I promise. If you want to use exim's filters, you could try this: # Exim filter if ${lookup mysql {select email from customer_user where \ email='${quote_mysql:$sender_address}{"VALID"}} \ does not match "VALID" then seen finish endif As I'm not using filter files at all I'm not sure if MySQL lookups are permitted in them, but it's nothing more than a string expansion, which were possible in any filter file. If the above doesn't work as a user's filter, it should at least as a system filter. hth, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388
participants (2)
-
Au Yong Tien Chee -
Robert Kehl