Re: [Exim] HostLists and ACLs

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: Nico Erfurth
CC: William Craven, exim-users
Sujet: Re: [Exim] HostLists and ACLs
On Tue, 26 Nov 2002, Nico Erfurth wrote:

> > I would like to configure an ACL rule for the SMTP RCPT command such
> > that it looks at a 2 column file that contains the list of blocked hosts
> > and a description for the block which will then be used for the SMTP
> > return message. For example
> >
> > 216.42.116.0/24: Blocked - Open Relay
> > h24-87-143-55.vs.shawcable.net: Blocked - rogue user
> > *.optprofessionals.com:    Blocked - SPAM generator

> >
> > At the moment I am not sure how this can be implemented. Any thoughts
> > from the list.
>
> I'm not sure, but try
>
> deny message = $value
>       hosts = lsearch;/etc/exim/blocked/hosts


That will find those which have a plain name before the colon, e.g.

some.host: .....

> if this does not work, use
>
> deny message = ${lookup {$sender_hostname} partial-lsearch \
>        {/etc/exim/blocked/hosts}{$value}}
>       hosts = partial-lsearch;/etc/exim/blocked/hosts


That will find those with a full name (as above) and those that start
with an asterisk, e.g.

*.some.domain: ....

You still need to find those that you want to list by IP address. You
need a net-lsearch lookup for that. And if you have more than one
netmask, you will need a separate lookup for each net mask.

What you really need is for me to implement this Wish List item:

-----------------------------------------------------------------------
(112) 05-Nov-02 M a "wildlsearch" lookup

This would do a linear scan of a file, treating the "keys" as wild items.
Syntax of the search would look like single-key, but of course it's not
convertable. Syntax of the file would be as for address rewriting.
-----------------------------------------------------------------------

Until I do, you will have to use a complicated ACL along these lines:

deny message = ${lookup {$sender_hostname} partial-lsearch \
        {/etc/exim/blocked/hosts}}
     hosts = partial-lsearch;/etc/exim/blocked/hosts


deny message = ${lookup {$mask:$sender_host_address/24} lsearch \
        {/etc/exim/blocked/hosts}}
     hosts = net24-lsearch;/etc/exim/blocked/hosts


deny message = ${lookup {$mask:$sender_host_address/16} lsearch \
        {/etc/exim/blocked/hosts}}
     hosts = net16-lsearch;/etc/exim/blocked/hosts



In other words, one probe for the name (actually, because of the
partial, it will do multiple probes at a lower level), plus one probe
for each mask size.

If your file gets very large, you might gain some efficiency by putting
each type of entry into a different file, so that less resource is used
in each scan.

I have not tested the above suggestion.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.