RE: [Exim] question about ACL

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Liu Shuai
Dátum:  
Címzett: exim-users
Tárgy: RE: [Exim] question about ACL
Thank you for the explanation. So does "hosts" check the IP of the smtp
request originator
or the IP of the sender's email domain? i.e If user someone@12.34.56.78 is
trying to send an
e-mail from IP 23.45.67.89. Does "host" check the first IP or the second
one?

LS

-----Original Message-----
From: Wakko Warner [mailto:wakko@animx.eu.org]
Sent: Friday, December 12, 2003 7:23 AM
To: Liu Shuai
Cc: exim-users@???
Subject: Re: [Exim] question about ACL


> >> I am trying to set up exim so that it only allow SMTP connections from
> >> certain IPs. Say, I
> >> want to serve only smtp requests sent from 12.34.56.* and 23.45.67.*
>
> >So you do not expect mail from the internet?
>
> Sorry if I didn't make it clearer.
>
> Yes, I do expect mail from the internet, but I don't want users to be able
> to use the SMTP server to send e-mail if they are outside of my local
> network(s), even if they have local e-mail accounts.
>
> For example, a user can only send e-mail through the server if his request
> is from IP
> within 12.34.56.1 - 12.34.56.255 or 23.45.67.1 - 23.45.67.255.
>
> I realize that I can disable connection at firewall level, but I suppose
> that I can do it from Exim as well?


Unfortunately, exim does not differentiate between your users and other MTAs
on the internet. IIRC, no MTA on the internet does this. If you only
accept for the range you stated above, you will not accept mail from the
internet.

> > accept  hosts = 12.34.56.*
> >         hosts = 23.45.67.*
> >         endpass

>
> >This is impossible. try:
> >hosts = 12.34.56.0/24 : 23.45.67.0/24
> What does the line above do? In particular, what the semantics of "/"

here?

This is a netblock. The range of a /24 netblock is .0 to .255
the 24 is the number of bits in the netblock.
it is equivilant to a netmask of 255.255.255.0 but way easier to type and
less prone to errors (IMO). The highest number (in IPv4) is 32 which means
a single host, but with exim, you don't need to use /32 for a single host.

The reason I flattened your acl from 2 host statements to 1 is:
if you use
accept  hosts = 12.34.56.*
    hosts = 23.45.67.*
    ...


It does this:
Is IP in 12.34.56.*? if yes, is IP in 23.45.67.*? if yes it's impossible.

My way:
hosts = 12.34.56.0/24 : 23.45.67.0/24

It does this:
Is IP in 12.34.56.0/24 or 23.45.67.0/24? ...

each condition in an ACL must be true before the accept/deny/etc will work.

--
Lab tests show that use of micro$oft causes cancer in lab animals