Re: [Exim] host_relay negate

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Andreas Metzler
Date:  
À: exim-users
Sujet: Re: [Exim] host_relay negate
On Thu, Oct 02, 2003 at 05:34:07PM +0200, Leonardo Boselli wrote:
> I have a host_raccept_relay (exim 3.33)
> as
> host_accept_relay = 127.0.0.1 : a.b.c.0/24
> it workked until yesterday.
> now i have been told that one machine has gone out of control, and
> only remedy has been to lock it out using the firewall rules on the
> server.
> It work but it is not the most elegant:
> how is the rule on h_a_r to say to accept from a list of host/network
> except from some hosts ?


Let's make a magic travel to the mysterious world of exim's wonderful
documentation, finding the answer is straightforward, we simply start
with the description of host_accept_relay, which we find easily.

| Main configuration:
| host_accept_relay _option_
| Type: host list


then check what properties a "host list" has, by reading the
corresponding paragraph in "The Exim configuration file".

| Host lists
| ...


| Negation and included files operate exactly as for domain lists - see
| section "Domain lists" for examples.


(Of course you'll have to read the 5 lines I replaced with ... too). Lets
look at "Domain lists" then!

| Domain lists
| The list is scanned from left to right. If the
| domain matches a positive item, it is in the set of domains which the
| list defines; if it matches a negative item, it is not in the set.

[...]
| For example,

|
|     relay_domains = !a.b.c : *.b.c

|
| matches any domain ending in `.b.c' except for `a.b.c'.


Now we have the answer:
host_accept_relay = 127.0.0.1 : !a.b.c.12 : !a.b.c.16 : a.b.c.0/24
or
host_accept_relay = 127.0.0.1 : !/etc/exim/brokenhosts : a.b.c.0/24

I know that it would have taken you longer than me as you are probably
not familiar with the specification, but it shouldn't take you more
than 15 minutes.

When you first look at it exim's documentation it looks very scary,
"Who is going to read this lengthy volume?" or "How am I going to find
the answer to my nifty question in this mighty mountain of words?".
But the documentation is excellently structured, you simply start at
the description of the option and come to the answer.

> OH : I forgot to say one thing: _some_ of those blacklisted hosts cannot
> sentd mail even at local users, so they should be denied completely


Easy to find. Let's browse the list of known "Main configuration"
options and search for reject, we find "host_reject" and are set.
(You'd have found this too by reading "Other policy controls on
incoming mail")

I am not trying to LART you or hit you with a stick over the head for
not checking the docs, I just wanted to show you that it pays off and
is not that difficult.
              cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"