Re: [Exim] ACL help

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Dr Andrew C Aitchison
CC: exim-users
Subject: Re: [Exim] ACL help

On Tue, 4 Jun 2002, Dave C. wrote:

> On Tue, 4 Jun 2002, Dr Andrew C Aitchison wrote:
>
> > On Mon, 3 Jun 2002, Dave C. wrote:
> > > I cant seem to find a way to make an "OR" out of two "require"s
> > >
> > > acl_check_rcpt:
> > >   deny          local_parts     = ^.*[@%!/|]
> > >   require       verify          = sender/callout=5s/callout_defer_ok
> > >   require       verify          = recipient/callout=5s
> > >   accept        hosts           = :
> > >   accept        hosts           = +relay_from_hosts
> > >   accept        domains         = MY.DOMAIN
> > >   accept        domains         = lsearch;/path/to/more/of/MY.DOMAINS
> > >   deny          message         = Access denied

> >
> > I'm not entirely clear yet, but...
> > If they are ORed, how are they different from an accept ?
> > Is it enough to accept the first and require the second ?
>
>
> The way I understand it, if I 'accept', the ACL ends and no further
> processing is done. Or is this not the case?
>
> I want to
>
> require - either local_part = postmaster or recipient/callout.....
>
> If I do
>
> require local_part = postmaster
> require verify recipient = callout/....
>
> It will still run the callout even if the local_part = postmaster
>
> If I accept, it wont follow the rest of the ACL:
>
> accept hosts = :
> accept hosts = +relay_from_hosts
> etc..
> and the final deny if none of the hosts or domains match...



Ok, I've come up with this, but its too early in the morning for me to
be sure if this will work or not.

If I put this in place of the require:

deny !local_parts = postmaster
     !verify = recipient/callout


It *seems* as though the deny conditions are AND-ed, and run in the
order given

So if local_part was postmaster, the first line is false, and we dont
deny, go on to next. If it is, then if we CAN verify with callout, thats
false, go on to next. If its postmaster, AND it doesnt verify, deny.

Convoluted, but it seems like it should accomplish what I'm looking for
(I havent tested it yet)



--