--
On Wed, 2004-07-28 at 23:14, JupiterHost.Net wrote:
> Greg Folkert wrote:
>
> > Blacklist them.
>
> I'm not sure I follow, how would I "blacklist" a single local system
> user from sending mail via exim?
>
> blacklist = spamsafeuser
> (IE noone can use spamsafeuser/password and hostname.tld to authenticate
> for SMTP with exim)
>
> ??
>
> I didn't see anythgin about that on exim.org ...
>
> Would that make it so that even if I gave you the user, pass and
> hostname you would be unable to use that info to do an Authenticated
> SMTP session?
I use Debian Sarge with Sid updates on specific issues.
From the default exim conf:
# This access control list is used to determine whitelisted
# senders and hosts. It checks for CONFDIR/local_host_whitelist
# and # CONFDIR/local_sender_whitelist.
#
# It is meant to be used from some other acl entry.
#
# For example,
# deny message = local blacklist example
# !acl = acl_whitelist
# dnslist = some.dns.list.example
# will allow messages with envelope sender listed in
# local_sender_whitelist or messages coming in from hosts listed
# in local_host_whitelist to be accepted even if the delivering
# host is listed in the dns list.
#
# Whitelisting can also be configured by including negative
# items in the black list. See
# /usr/share/doc/exim4-config/default_acl for details.
#
# If the files do not exist, the white list never matches, which
# is the desired behaviour.
and from /usr/share/doc/exim4-config/default_acl
Access Control in the default configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Debian exim 4 package comes with a default configuration
that allows flexible access control and blacklisting of sites
and hosts. The acls involved can be found in
/etc/exim4/conf.d/acl with the file names
20_exim4-config_whitelist_local_deny and
30_exim4-config_check_rcpt, thus all rejections of messages due
to this mechanism happen at RCPT time. Local configuration of
the mechanisms happen through data files in /etc/exim4, so there
is normally no need to change the files in the acl subdirectory.
/etc/exim4/local_sender_blacklist contains a list of envelope
senders whose messages will be denied with the error message
"locally blacklisted". This is a full exim 4 address list, and
all available features can be used. This includes negative
items, and so it is possible to exclude addresses from being
blacklisted. For convenience, as an additional method to
whitelist addresses from being blocked, an explicit whitelist is
read in from /etc/exim4/local_sender_whitelist. Entries in the
whitelist override corresponding blacklist entries.
In the blacklist, the trick is to read a line break as "or" if
it follows a positive item, and as "and" if it follows a
negative item.
For example, a /etc/exim4/local_sender_blacklist
domain1.example
!local@???
domain2.example
domain3.example
Exim just evaluates left to right (or up-down in the file
listing context), so you don't get the same kind of operator
binding as in a programming language.
/etc/exim4/local_host_blacklist contains a list of IP addresses,
networks and host names whose messages will be denied with the
error message "locally blacklisted". This is a full exim 4 host
list. Again, negative items can be used here, and there is also
an explicit whitelist read in from
/etc/exim4/local_host_whitelist, and whitelist entries override
blacklistings.
The example access list shipped in
/usr/share/doc/exim4-config/examples/acl/30_exim4-config_example_check_rcpt
includes a bunch of dnslists configured to warn and/or deny
incoming messages. Some of these lists have a corresponding
whitelist, read in from /etc/exim4/local_$DNSLISTNAME_whitelist
which allows the local administrator to override dnslist entries
for domains or IP addresses that should be able to send mail
despite the dnslist entry.
If you need more info, please consider looking in spec.txt, as it
explains all of this. Or get Phillip's book on exim4. I did, never
regretted it (still don't in fact).
--
greg, greg@???
The technology that is
Stronger, better, faster: Linux
--
Content-Description: This is a digitally signed message part
[ signature.asc of type application/pgp-signature deleted ]
--
