Re: [exim] What is the difference between those two ACL conf…

Top Page
Delete this message
Reply to this message
Author: Fred Viles
Date:  
To: exim-users
Subject: Re: [exim] What is the difference between those two ACL configs:
On 20 May 2005 at 20:01, Sub Zero wrote about
    "[exim] What is the difference betwe":


| What is the difference between those two ACL configs:


The first one doesn't waste resources doing DNSBL lookups for
messages that will be whitelisted by localdomains (this is a bad
idea, BTW) or relay_hosts. Other than that, nothing that I can see.

| ------------
| 
| deny  !sender_domains = lsearch;/etc/localdomains
|       !hosts = +relay_hosts
|       message = rejected because the sending host $sender_host_address is in
| a black list at $dnslist_domain\n$dnslist_text
|     dnslists = whitelist.liquidweb.com!=127.0.0.13 : list.dsbl.org :
| dnsbl.ahbl.org : dnsbl.njabl.org : sbl-xbl.spamhaus.org : relays.ordb.org
| 
| ------------
| ------------
| 
| deny  message = rejected because the sending host $sender_host_address  is
| in a black list at $dnslist_domain\n$dnslist_text
|       dnslists = whitelist.liquidweb.com!=127.0.0.13 : list.dsbl.org :
| dnsbl.ahbl.org : dnsbl.njabl.org : sbl-xbl.spamhaus.org : relays.ordb.org
|        !sender_domains = lsearch;/etc/localdomains
|     !hosts = +relay_hosts
| 
| ------------
| 
| Is having the ! statements last in the deny acl better when dealing with
| users that will be authing from blacklisted IP's?


The sender_domains and hosts conditions have nothing to do with
authenticatication. Unless an earlier accept stanza accepted them,
either of these deny stanzas will block authenticated senders from
blacklisted IPs (unless they happen to match the ! clauses).

| It technically shouldn't
| matter (the exim docs are sort of obscure as to this). What is your
| recommendation?


Use the first version, the second version has no redeeming social 
value.  And drop the 
        !sender_domains = lsearch;/etc/localdomains
clause unless you have some other protection against spoofed sender 
addresses.


- Fred