Re: [Exim] Relaying - Restricting some Networks

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Nigel Metheringham
CC: griess, exim-users
Subject: Re: [Exim] Relaying - Restricting some Networks
On 20 Feb 2002, Nigel Metheringham wrote:

> On Wed, 2002-02-20 at 12:37, Guenter Riess wrote:
> > Hi,
> > I have a simple question about relaying. My current problem is, that I want
> > to allow mail relaying for clients from the local network (172.30.0.0/16)
> > except clients from the subnets
> > 172.30.2.0/24
> > 172.30.0.0/24
> >
> > A configuration that seems to work is the following:
> >
> > host_accept_relay = officialnetwork/officialmask : \
> >                     !172.30.0.0/24 : !172.30.2.0/24 : 172.30.0.0/16 : \
> >                     localhost

>
> First match wins so you want:-
>   host_accept_relay = !172.30.0.0/24 : !172.30.2.0/24 : 172.30.0.0/16 : \
>                       172.30.0.0/16 : 127.0.0.0/8

>
> [NB changed localhost to a network/netmask set since that will prevent a
> possibly superfluous DNS lookup being done there]



Note:

There is an implied !* at the end if the last item is not negative.
There is an implied * at the end if the last item is negative.

As Nigel implied, you should stick with numeric IP addresses and
networks here - avoid using names.

If you want to be extra-sure, you could explicitly add a !* at the end.

You also dont need to list 172.30.0.0/16 twice - as I notice Nigel has
already mentioned in followup..

>
>
> > Is this configuration ok or are there some issues? It seems, that exim
> > processes the host list from left to right and if one condition is true, it
> > stops processing the rest of the host list.
>
> This is exactly as documented - see for example
> http://www.exim.org/exim-html-3.30/doc/html/spec_7.html#SEC172
>
>
> > I tried also a regular expression to filter out the hosts via their
> > IP-Addresses with the following regexpr:
> >
> > host_accept_relay = ^172\.30\.\d{2,3}\.\d{1,3}$|^172\.30\.[^02]\.\d{1,3}$ : \
> >                              officialnetwork/officialmask : \
> >                              localhost

>
> > First question: what's wrong with the regexp ?
>
> You are attempting to regexp an IP address, exim is trying to match it
> to a host name (ie following reverse DNS lookup). Use IP address
> network/netmask notation for ip addresses.
>
> > Second question: is the configuration without regexp (at top of mail) O.K. ?
> > What is the recommended way to allow relay for a network WITHOUT certain
> > addresses / subnets ?
>
> If you are including a range with exceptions, list the exceptions first
> as negative matches, then the allowed range.
>
>     Nigel.
> --
> [ Nigel Metheringham           Nigel.Metheringham@??? ]
> [ Phone: +44 1423 850000                         Fax +44 1423 858866 ]
> [ - Comments in this message are my own and not ITO opinion/policy - ]

>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>


--