I prefer the "running filter" approach (ACL isn't really the right term),
and putting it into a separate section of the config file so it isn't a
"multiple-use option" makes sense as well. It make the process Exim must go
through to accept/deny a message very clear and understandable, IMHO. Of
course, I'm a programmer as well, so my opinion may be biased, but it's
still far better than the current conglomeration of options that
conflict/override each other.
----- Original Message -----
From: "Philip Hazel" <ph10@???>
To: "John Sloan" <sloanj@???>
Cc: <exim-users@???>
Sent: Wednesday, January 03, 2001 3:48 AM
Subject: Re: [Exim] Exim 4 Planning - some comments.
> On Tue, 2 Jan 2001, John Sloan wrote:
>
> > Hmm. I'm uncomfortable with this proposed syntax. An alternative might
> > be to go with an ACL type format, such as that used by some routers and
> > programs such as squid (my primary source for this idea). Multiple
lines
> > which terminate on the first match. Such a format might look like:
> >
> > accept_recipient accept (address = +local_domains) verify sender_verify
> > accept_recipient accept (address = +relay_domains) sender_verify
> > accept_recipient deny all
>
> What do other people feel about this proposal?
>
> I can see the attraction, but I have two worries:
>
> (A) Multiple option settings aren't used for anything else in Exim. I'd
> rather not introduce one thing that is special. The more "natural" way
> to do this would be to invent a new section of the configuration file
> (like the rewrite, retry sections) to contain the recipient ACL.
>
> (B) The more substantive point: I fear that too much repetition will be
> needed because of the lack of parentheses. Your example above already has
> to repeat sender_verify, which is trivial, but what about this example:
>
> Accept a recipient if it comes from a certain list of hosts, and
> either the SMTP session is authenticated, or the host is not in an RBL
> list.
>
> Assume ACL items separated by colons (so I've doubled the colons in the
> host list, but alternatively you could change separators):
>
> accept host = 192.168.10.3 :: 10.3.4.0/24 : authenticated
> accept host = 192.168.10.3 :: 10.3.4.0/24 : notlisted =
dul.maps.vix.com
>
> With my proposed syntax, this is
>
> accept_recipient = host = 192.168.10.3 : 10.2.4.0/24 \
> AND \
> ( \
> authenticated \
> OR \
> notlisted = dul.mapx.vix.com \
> )
>
> My worry is that in complicated situations, this kind of repetition will
> be necessary rather often. Perhaps it doesn't matter too much from a
> conceptual point of view, but it makes it a *lot* harder to optimise
> testing by caching. Let me explain some more:
>
> Using my scheme, if a message has several recipients, the host test will
> be done for the first one, and Exim will remember that "the first test
> succeeded" (or failed, as the case may be). If the list involves
> database lookups, the test might be quite expensive to perform. When the
> second recipient is being checked, the test need not be done again.
>
> Using ACLs, it isn't obvious that the second host test is identical to
> the first one. (Well, this example is obvious to a human, but what if
> the spacing were different, or the items were in another order, or some
> other minor change. Checking for "the same test" isn't trivial.)
>
>
> Hmm... <thinks> ...
>
> Maybe I'm just inexperienced in writing ACLs. I guess it could be
> written without repetition like this:
>
> deny host = ! 192.168.10.3 :: ! 10.3.4.0/24
> accept authenticated
> accept notlisted = dul.maps.vix.com
>
> Let me have a go at writing the big example from my document:
>
> accept_recipient = address = postmaster@??? OR \
> sender = !bad@??? AND \
> ( \
> address = +local_domains AND verify OR \
> authenticated OR \
> address = +relay_domains OR \
> host = 192.168.23.0/24 \
> ) \
> AND notlisted = dul.maps.vix.com \
> AND sender_verify
>
> This turns into
>
> accept address = postmaster@???
> deny sender = bad@???
> deny listed = dul.maps.vix.com
> deny no_sender_verify
> accept address = +local_domains : verify
> accept authenticated
> accept address = +relay_domains
> accept host = 192.168.23.0/24
>
> (I think an implicit "deny all" at the end should be understood.)
>
> I have to admit that that is no more complicated than my proposal, and
> it also simplifies things by not having to worry about parentheses and
> AND and OR (and messy continuation lines). Actually, both of these
> settings contain the same bug. Proving how tricky it is to write logical
> expressions, whatever the syntax. An exercise for the reader. :-] The
> mended version may even be neater in the ACL syntax.
>
>
> SO... What do people think? Votes, please.
>
>
> --
> Philip Hazel University of Cambridge Computing Service,
> ph10@??? Cambridge, England. Phone: +44 1223 334714.
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##
>
Shop Safely Online Without a Credit Card
http://www.rocketcash.com
