On Fri, 17 Jun 2005, Dave Lugo wrote:
> On Fri, 17 Jun 2005, Greg A. Woods wrote:
> >
> > That said though, if the really big culprit here is only cPanel then
> > they deserve even more ire, fire, and flame, but correcting the fault in
> > Exim that makes this so easy would still help force them to at least see
> > the error of their ways.
>
> The only 'fault' exim has is a rich ACL language that allows someone
> to do:
>
> deny senders = :
Exim does not provide many high-level facilities. It provides a lot of
low-level things that people can combine in whatever way they want. In
particular, it provides:
(1) Is the sender of this message X? (X can be "the empty string")
(2) Deny this message
As has been pointed out, there are plenty of examples of legitimate
cases where you want to do things like
If the sender is the empty string
AND the recipient is Y
THEN deny this message
because, for instance, Y never sends messages. Clearly it would be
neutering Exim to uselessness if the "deny" feature were disabled.
Forbidding the test for an empty sender would also take away a huge
amount of legitimate functionality.
Locking out the particular case "Deny unconditionally if the sender is
the empty string, without checking any other conditions" would be
tedious to implement because it crosses different levels of the code.
And besides, it would easily be circumvented by coding (for example)
"Deny if the sender is the empty string and X=X." So there is no point
in even considering it.
Not that I would anyway, to be honest. Pretty well all tools can be used
in both good and bad ways. Those of us who make tools have to live with
that.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book