On Tue, 16 Mar 1999, Georg von Zezschwitz wrote:
> My suggested way for Exim would be:
>
> Every rule that has nothing ahead is a "accept/allow" rule.
> Every rule that has a leading "!", is a reject/deny rule:
>
> !*.nasty.de
> !195.222.205/25
> 195.222.192.0/18
> !0.0.0.0/0
But that is *exactly* what I am suggesting!! Just that in the Exim case it
would appear as (for example)
host_accept = !*.nasty.de : !195.222.205/25 : 195.222.192.0/18 : !0.0.0.0/0
or you could say
host_accept = /some/file
and then it would look just as you have quoted in the file.
> I'd really favor this acl-syntax. It is simple, it is pretty
> close to other acl-lists, it is flexible. And it may reduce
> the number of options to the half.
Exactly. Less than half, I think. But...
> Though you *can* do the "long-requested facility for more efficient
> network lookups" by the mechanism suggested by Philip, I think
> the "common" Squid/INN/Cisco-approach is rather taken from
> sysadmins life.
I think you have missed the point here. Some ISP have hundreds, or even
thousands of individual networks. It is quite slow to read through a
list of items like 195.222.192.0/24 to check all of them. Several times
I have been asked for a way of speeding this up. The proposal is that
you should be able (in *addition* to what is above) to say
host_accept = net_24-dbm;/some/dbm/file
and it would do a single lookup in the file to test one IP address. If
you have a mixture of different length networks, you need to do several
lookups. This would only be worth doing if the numbers were big.
> Another idea are named acls. In our configuration, the same
> acl is used 5 times:
>
> smtp_reserve_nets = "/usr/local/lib/exim/netlist"
> receiver_verify_except_nets = "/usr/local/lib/exim/netlist"
> rfc1413_except_nets = "/usr/local/lib/exim/netlist"
> sender_net_accept_relay = "/usr/local/lib/exim/netlist"
> smtp_etrn_nets = "/usr/local/lib/exim/netlist"
>
> I guess a named acl
You could make use of a macro for this if you wanted to.
> (with a cache for the last 2 or 3 ip-numbers)
> could speed up things and make configurations more
> transparent.
I can't see how caching will help. Those lists are all used in entirely
different circumstances. Remember, there is no central Exim process.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
--
*** Exim information can be found at
http://www.exim.org/ ***