On Tue, 26 Nov 2002, Nico Erfurth wrote:
> > I would like to configure an ACL rule for the SMTP RCPT command such
> > that it looks at a 2 column file that contains the list of blocked hosts
> > and a description for the block which will then be used for the SMTP
> > return message. For example
> >
> > 216.42.116.0/24: Blocked - Open Relay
> > h24-87-143-55.vs.shawcable.net: Blocked - rogue user
> > *.optprofessionals.com: Blocked - SPAM generator
> >
> > At the moment I am not sure how this can be implemented. Any thoughts
> > from the list.
>
> I'm not sure, but try
>
> deny message = $value
> hosts = lsearch;/etc/exim/blocked/hosts
That will find those which have a plain name before the colon, e.g.
some.host: .....
> if this does not work, use
>
> deny message = ${lookup {$sender_hostname} partial-lsearch \
> {/etc/exim/blocked/hosts}{$value}}
> hosts = partial-lsearch;/etc/exim/blocked/hosts
That will find those with a full name (as above) and those that start
with an asterisk, e.g.
*.some.domain: ....
You still need to find those that you want to list by IP address. You
need a net-lsearch lookup for that. And if you have more than one
netmask, you will need a separate lookup for each net mask.
What you really need is for me to implement this Wish List item:
-----------------------------------------------------------------------
(112) 05-Nov-02 M a "wildlsearch" lookup
This would do a linear scan of a file, treating the "keys" as wild items.
Syntax of the search would look like single-key, but of course it's not
convertable. Syntax of the file would be as for address rewriting.
-----------------------------------------------------------------------
Until I do, you will have to use a complicated ACL along these lines:
deny message = ${lookup {$sender_hostname} partial-lsearch \
{/etc/exim/blocked/hosts}}
hosts = partial-lsearch;/etc/exim/blocked/hosts
deny message = ${lookup {$mask:$sender_host_address/24} lsearch \
{/etc/exim/blocked/hosts}}
hosts = net24-lsearch;/etc/exim/blocked/hosts
deny message = ${lookup {$mask:$sender_host_address/16} lsearch \
{/etc/exim/blocked/hosts}}
hosts = net16-lsearch;/etc/exim/blocked/hosts
In other words, one probe for the name (actually, because of the
partial, it will do multiple probes at a lower level), plus one probe
for each mask size.
If your file gets very large, you might gain some efficiency by putting
each type of entry into a different file, so that less resource is used
in each scan.
I have not tested the above suggestion.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
