Re: [EXIM] Negation in domain/host/net/address lists

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MGeorg von Zezschwitz at <-
MGeorg von Zezschwitz at ->
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Georg von Zezschwitz
CC: exim-users
Subject: Re: [EXIM] Negation in domain/host/net/address lists
On Tue, 16 Mar 1999, Georg von Zezschwitz wrote:

> My suggested way for Exim would be:
>
> Every rule that has nothing ahead is a "accept/allow" rule.
> Every rule that has a leading "!", is a reject/deny rule:
>
> !*.nasty.de
> !195.222.205/25
> 195.222.192.0/18
> !0.0.0.0/0

But that is *exactly* what I am suggesting!! Just that in the Exim case it
would appear as (for example)

host_accept = !*.nasty.de : !195.222.205/25 : 195.222.192.0/18 : !0.0.0.0/0

or you could say

host_accept = /some/file

and then it would look just as you have quoted in the file.

> I'd really favor this acl-syntax. It is simple, it is pretty
> close to other acl-lists, it is flexible. And it may reduce
> the number of options to the half.

Exactly. Less than half, I think. But...

> Though you *can* do the "long-requested facility for more efficient
> network lookups" by the mechanism suggested by Philip, I think
> the "common" Squid/INN/Cisco-approach is rather taken from
> sysadmins life.

I think you have missed the point here. Some ISP have hundreds, or even
thousands of individual networks. It is quite slow to read through a
list of items like 195.222.192.0/24 to check all of them. Several times
I have been asked for a way of speeding this up. The proposal is that
you should be able (in *addition* to what is above) to say

host_accept = net_24-dbm;/some/dbm/file

and it would do a single lookup in the file to test one IP address. If
you have a mixture of different length networks, you need to do several
lookups. This would only be worth doing if the numbers were big.

> Another idea are named acls. In our configuration, the same
> acl is used 5 times:
> 
>    smtp_reserve_nets = "/usr/local/lib/exim/netlist"
>    receiver_verify_except_nets = "/usr/local/lib/exim/netlist"
>    rfc1413_except_nets = "/usr/local/lib/exim/netlist"
>    sender_net_accept_relay = "/usr/local/lib/exim/netlist"
>    smtp_etrn_nets = "/usr/local/lib/exim/netlist"

>
> I guess a named acl

You could make use of a macro for this if you wanted to.

> (with a cache for the last 2 or 3 ip-numbers)
> could speed up things and make configurations more
> transparent.

I can't see how caching will help. Those lists are all used in entirely
different circumstances. Remember, there is no central Exim process. 

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.



--
*** Exim information can be found at http://www.exim.org/ ***


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [EXIM] Are partial-ldap queries allowed?Re: [EXIM] Are partial-ldap queries allowed?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)