Re: [EXIM] Negation in domain/host/net/address lists

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Georg von Zezschwitz
Date:  
À: Philip Hazel
CC: exim-users
Sujet: Re: [EXIM] Negation in domain/host/net/address lists

Hello,

I'd strongly support some cleaning up among those many
configuration options.

However, I don't know if I'm alone with my objections, but I
consider the new scheme just another more complicated and more
sopisticated reinvention of the wheel.

I suppose some of us are administrating other server software
as well, like INN, Squid, Apache, FTP-Servers.

They all have their specific implementation of Access Control
Lists (acl), and Exim is just another program with the needs for
such control lists.

Sorry to be that directly (I'm german :-) ):

- Applying regexp-rules to decimal coded IP-numbers is mixing
two worlds that have few things in common.

 - "net-16-24-dbm;/some/file) then a series of lookups are done
     using keys "
   Do you think this will really help people? 
   It will make sysadmins their work even harder.
   It's difficult to read, it's Exim-specific, it's too 
   complicated when compared to the way other programs do
   their acls


What I'd suggest is something like the way Ciscos IOS builds
up its access control lists, and as you are talking about
cutting down the number of options, I'd suggest not only
to give up the "host" vs. "net" scheme, but also the
"accept/deny/allow/reject" scheme (where I nether know which
one is interpreted first):

The Cisco scheme in short is:

- Walk down the lists of rules and look for first one that
matches.

A "Cisco rule" for:

My net ist 195.222.192.0/18, and all my customers may
relay, except 195.222.205/25 and those guys from *.nasty.de

should look like this:

deny *.nasty.de
deny 195.222.205/25
accept 195.222.192.0/18
deny 0.0.0.0/0

(As the default assumption is "No", the last line might be ommited.)

My suggested way for Exim would be:

Every rule that has nothing ahead is a "accept/allow" rule.
Every rule that has a leading "!", is a reject/deny rule:

!*.nasty.de
!195.222.205/25
195.222.192.0/18
!0.0.0.0/0

I'd really favor this acl-syntax. It is simple, it is pretty
close to other acl-lists, it is flexible. And it may reduce
the number of options to the half.

Though you *can* do the "long-requested facility for more efficient
network lookups" by the mechanism suggested by Philip, I think
the "common" Squid/INN/Cisco-approach is rather taken from
sysadmins life.

In short, my suggestion is:

- Introduction of the negation prefix
- Introduction of a top-down / left-right evaluation scheme

On the other hand, I don't think regexp on IP-numbers is an
advantage, and the net-16-24-dbm;/some/file method is too
complicated.


Another idea are named acls. In our configuration, the same
acl is used 5 times:

    smtp_reserve_nets = "/usr/local/lib/exim/netlist"
    receiver_verify_except_nets = "/usr/local/lib/exim/netlist"
    rfc1413_except_nets = "/usr/local/lib/exim/netlist"
    sender_net_accept_relay = "/usr/local/lib/exim/netlist"
    smtp_etrn_nets = "/usr/local/lib/exim/netlist"


I guess a named acl (with a cache for the last 2 or 3 ip-numbers)
could speed up things and make configurations more
transparent.

However, this is something totally different.


Greetings,


Georg


--
*** Exim information can be found at http://www.exim.org/ ***