A few domains are hosted on my server and I have an exim4 setup where I can create virtual addresses by dropping text files in a directory and putting the destination address in the text file. This is convenient because it lets me redirect everything to gmail inboxes and manage all things in one place.
However, sometimes the virtual addresses do receive spam which they promptly forward to gmail, which is unhappy, tanking my server’s reputation.
This came to a head yesterday when I noticed legitimate emails being 550d at the SMTP dialog level, which is bad because they are not resent and we start losing important data.
I installed an additional spam filter, but crucially (I think, remains to be seen whether this really helps) I found this page which describes Sender Rewriting Scheme (and the explanation makes sense, since from Google’s point of view I’m delivering email for the originating domain, after a forward from my server, which is not a designated sender for those domains).
A bit of googling led me to another page describing how to set up srs with an srs client, but unfortunately the config suggested there made a few assumptions that didn’t work for my system. At the bottom of that though, there’s a link to this exim bug which describes a pure exim4 solution with 3 routers and a new transport. This was easy to adapt and it seems to be working well.
#routers
# /etc/exim4/conf.d/router/110_srs
outbound:
driver = dnslookup
domains = ! +local_domains
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
inbound_srs:
driver = redirect
senders = :
domains = +local_domains
condition = ${if match {$local_part} \
{^(?i)SRS0=([^=]+)=([A-Z2-7]+)=([^=]*)=(.*)\$} \
{${if and { {<= {${eval:$tod_epoch/86400 - ${base32d:$2} & 0x3ff}} \
{10}} \
{eq {$1} \
{${l_4:${hmac{md5}{SRS_SECRET}{${lc:$4@$3}}}}}} \
} \
{true}{false} \
}} \
{false} \
}
data = ${sg {$local_part} \
{^(?i)SRS0=[^=]+=[^=]+=([^=]*)=(.*)\$} \
{\$2@\$1}}
inbound_srs_failure:
driver = redirect
senders = :
domains = +local_domains
condition = ${if match {$local_part} \
{^(?i)SRS0=([^=]+)=([^=]+)=([^=]*)=(.*)\$} \
}
allow_fail
data = :fail: Invalid SRS recipient address
and
# transport
#/etc/exim4/conf.d/router/30_exim4-config_remote_forwarded_smtp
remote_forwarded_smtp:
driver = smtp
return_path = SRS0\
=${l_4:${hmac{md5}{SRS_SECRET}{${lc:$return_path}}}}\
=${base32:${eval:$tod_epoch/86400&0x3ff}}\
=${domain:$return_path}\
=${local_part:$return_path}\
@$original_domain