[Exim] How to exclude some hosts from dnslist access lists?

Top Page
Delete this message
Reply to this message
Author: Marc Haber
Date:  
To: exim-users
Subject: [Exim] How to exclude some hosts from dnslist access lists?
Hi,

I would like to have some kind of local whitelist to exempt some hosts
or networks from a dnslist access list. I didn't find an option to do
so. One possible way would be the condition "condition", but I don't
see any example. What would the following acl entry do?

deny message = rejected
     condition = ${host not in whitelist}
     dnslists = black.list.example


Would the dnslists condition be evaluated if the host is inside the
whitelist? Would it be if it where not? Or is it only planned to have
a single condition per access list entry?

Or should one use the acl condition as some kind of a subroutine?

It would probably be a good idea to have some kind of "go to"
statement to jump down in the acl chain. That would allow something
like

|acl_check_rcpt:
| accept hosts = :

|
| deny local_parts = ^.*[@%!/|] : ^\\.

|
|  warn message = X-HELO-Failed: no IP address found for HELO host $sender_helo_name
|       log_message = helo failed
|       !verify = helo

|
| require verify = sender

|
|  warn message = X-Broken-Reverse-DNS: no host name found for IP address $sender_host_address
|       !verify = reverse_host_lookup

|
|  goto target = end_local_blacklists
|       hosts = ${if exists{/etc/exim4/local_host_whitelist}\
|                             {/etc/exim4/local_host_whitelist}\
|                             {}}

|
|  deny message = Locally blacklisted, you're out of luck
|       hosts = ${if exists{/etc/exim4/local_host_blacklist}\
|                             {/etc/exim4/local_host_blacklist}\
|                             {}}

|
|  deny message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
|       dnslists      = black.list.example

|
| label name = end_local_blacklists

|
|  accept domains = +local_domains
|         endpass
|         message = unknown user
|         verify = recipient

|
|  accept domains = +relay_to_domains
|         endpass
|         message = unrouteable address
|         verify = recipient

|
| accept hosts = +relay_from_hosts

|
| accept authenticated = *

|
| deny message = relay not permitted


This construction allows to nicely skip acl statements denying access
to certain hosts for hosts that are in a whitelist.

Is something like this already present?

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29