On 12 Aug 1999 michael@??? wrote:
> A couple days ago, I removed a network from the host_accept_relay file.
> That caused a negated entry to become the last. As a result, suddenly
> we became an open relay. :(
>
> I know, it's documented in the domain list chapter. It's still easy to
> get bitten by this feature. Now I set 127.0.0.1 as the last entry and
> put a telling comment there.
>
> I know this is common ACL semantics, but perhaps still something could
> be done about it?
The problem I had when I implemented this was that I figured people
would most likely write things like
host_accept = !a.b.c.d
expecting it to block out just one host. So I made it equivalent to
host_accept = !a.b.c.d : *
Without that convention, a setting like that doesn't have anything like
the expected effect.
So, the question is: Is it easier to get bitten by the feature or
without the feature?
Whatever the answer to that is, I think that it is now too late to
change.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
