On Mon, Dec 09, 2002 at 08:18:51PM -0500,
Exim List Account <exim@???> is thought to have said:
>
> > -----Original Message-----
> > From: exim-users-admin@??? [mailto:exim-users-admin@exim.org]On
> > Behalf Of Tabor J. Wells
> <snip>
> > You've misinterpretted the purpose of /accept. That is if you had a dnsbl
> > that contained only addresses which you wished to explicitly accept mail
> > from you would use whitelist.example.com/accept in your rbl_domains.
> > So if a lookup for the IP 1.2.3.4 matched 4.3.2.1.whitelist.example.com
> > then no further rbl_domains would be considered even if it
> > matched in spews,
> > etc.
>
> Let me see if we have it clear here. Say we have:
>
> rbl_domains = whitelist.domain.com/accept :
> spews.relays.osirusoft.com/reject
>
> Looking at the docs, this should be all right, and should work as indicated:
> whitelist.domain.com should be accepted, even if whitelist.domain.com is
> listed in SPEWS. Is this correct? If so, this is exactly what is not working
> for us.
No, whitelist.domain.com is another dnsbl just like spews, sbl, maps rbl,
and the rest. It is a DNS zone containing addresses, not a mail server.
whitelist.domain.com will not appear in spews because it is a dns zone.
Look at it this way: rbl_domains is the list of dns blacklists you wish to
lookup ip addresses in, rbl_hosts is the list of IP addresses these lookups
will happen against.
> If not, does this indicate that a /reject and /accept are not
> compatible in the same statement? That seems to contradict the docs,
> although the docs give no example of an /accept in any case except for the
> negation entries in rbl_hosts as listed below.
They're compatible. But you're apparantly not using it right as I think you
expect to say "mail.domain.com/accept" which does not mean accept mail from
mail.domain.com even if it's listed in another /reject blacklist. It means
you're trying to use mail.domain.com as another dns blacklist zone, which in
this case doesn't make any sense.
Hypothetically if you wanted to explicitly accept mail from all of the hosts in
the sbl but reject everything from spews then your rbl_domains would look
like:
rbl_domains = sbl.spamhaus.org/accept : spews.relays.osirusoft.com/reject
If a IP address appears in both sbl and spews, then it would be
automatically accepted because of the /accept.
Now this is an absurd example but it hopefully will clear up how /accept is
used.
> > The option you want is rbl_hosts, in particular if you want to exclude
> > hosts from dnsbl lookups, then you'd do something like:
> >
> > rbl_hosts = "! 1.2.3.4/32 : ! 5.6.7.0/24 : \
> > ! net32-dbm;/etc/exim/db/whitelist.db : 0.0.0.0/0"
> >
> > Or if you wanted to actually set up your own whitelist dnsbl
> > zone, you could
> > use /accept
>
> We tried this as well in rbl_hosts, to exclude (in the example above)
> whitelist.domain.com as !1.2.3.4/32 from lookups, with the same lack of
> results. It's a bit of a puzzlement, really. We only have half a dozen items
> to exclude across dozens of servers, and the fact that we can't get it to
> work properly is frustrating.
Did you list the IP address or the host name? If the latter, did you check to
see if whitelist.domain.com's IP address contain a DNS PTR record? In other
words if whitelist.domain.com has an IP address of 1.2.3.4 does a nslookup
of 1.2.3.4 return "whitelist.domain.com"? If it doesn't, then the host list
there will fail because you've given it a dns name that exim can't match to
the IP address of an incoming connection. In general this is why I prefer to
use IP addresses and networks rather than host names.
Also have you experimented with the -bh option? Try doing 'exim -bh 1.2.3.4'
or whatever the IP of the mail server in question is. This will allow you to
see how would handle a smtp session from that ip address. You can throw a
'-d9' in there for lots of additional debug info. If you still can't get it
working, please post the relevant bits of your config plus the results of a
-bh test.
Tabor
P.S. FWIW you might want to consider upgrading to Exim 4 as alot of this
stuff is greatly simplified with the ACL system.
--
--------------------------------------------------------------------
Tabor J. Wells twells@???
Fsck It! Just another victim of the ambient morality
