Autore: Alan J. Flavell Data: To: 'Exim-users' Oggetto: Re: [exim] ACL/Router
On Wed, 16 Feb 2005, Marc Sherman wrote:
> > A good general rule for ACL ordering is most specific first, most
> > general last, and break ties by most efficient first, most
> > expensive last.
>
> Sorry, I was a bit imprecise there, and we all know how much
> precision is appreciated on this list. :)
>
> I'm talking about ordering ACL _statements_ (ie: accept, deny, warn,
> etc) within a given ACL here.
The most expensive test, by a long way, is spamassassin: so anything
that can get shut of spam *before* resorting to that is a big winner.
While there's an obvious logic, in terms of system resources, in
applying the more-efficient tests first, the differences usually seem
to me to pale into insignficance, compared to the cost of scanning an
item with spamassassin if it could possibly have been rejected earlier
on some simpler test.
There's something to be said for sequencing the tests so that they
reveal less information to baddies. For example, when some
list-washer is poking around trying to see whether localparts are
valid in our domain, I'd rather hit the "how dare you HELO with our
own host name" test, or the "your IP is blacklisted" test (even if
that one costs a little bit extra on account of consulting dnsRBLs),
before getting to the "verify recipient" test.
(And of course a rejection at the RCPT stage is cheaper than accepting
all the DATA and then rejecting.)