[exim] when are exim vars first available? and ...

Top Page
Delete this message
Reply to this message
Author: OpenMacNews
Date:  
To: exim-users
Subject: [exim] when are exim vars first available? and ...
hi all,

i'm migrating from a global DNSBL check to a per-user-specified list capability.

in summary, i've 3 questions

(1) when in the mail transaction is each Exim variable FIRST
available/defined?
(2) what is the order of execution of acls?
(3) how can do BOTH and acl_connect default/global DNSBL check, and a later
acl_rcpt per-user spec?

the rather lengthy details/context leading up to these questions follows below
... perhaps they'll help another, as well =)

if you've got a few minutes, shared wisdom is, as always, is appreciated!

thx!

richard


========================================



1st, defining my DNSBL check in an aux acl:

  aux_check_dnsbl:
    deny     set acl_m9      = REJECTED[dnsbl] - \
                               BLACKLISTED:[$sender_host_address] \
                               @ $dnslist_domain ${if def:dnslist_text 
{(\n$dnslist_text)}}
             message         = $acl_m9
             log_message     = LOG_HDR: $acl_m9
             dnslists        = MY_RBLS
    accept


i started with:

(1) a global list of RBLs,

  MY_RBLS = sbl-xbl.spamhaus.org : relays.ordb.org : relays.mail-abuse.org : 
list.dsbl.org
  ...
  acl_smtp_connect:
    require  acl             = aux_check_dnsbl


works great.


(2) then adding an external per-user list of RBLs, with a fixed recipient

% cat LISTS/domains.dnsbls

    bob@???     list.dsbl.org
    alice@???   relays.ordb.org
    *                    sbl-xbl.spamhaus.org : relays.ordb.org : 
relays.mail-abuse.org : list.dsbl.org


testing a lookup with:

    % exim -be '${lookup\
      {alice@???}\
      lsearch*@\
      {LISTS/domains.dnsbls}\
      }'


returns, as expected:

    relays.ordb.org


and, then,

  MY_RBLS = ${lookup\
                {alice@???}\
              lsearch*@\
                {LISTS/domains.dnsbls}\
              }
  ...
  acl_smtp_connect:
    require  acl             = aux_check_dnsbl


ALSO works as expected ...

(3) finally, moving to a looked-up recipient

  MY_RBLS = ${lookup\
                {${lc:$local_part@$domain}}\
              lsearch*@\
                {LISTS/domains.dnsbls}\
             }
  ...
  acl_smtp_connect:
    require  acl             = aux_check_dnsbl



unfortunately, kept checking against the lsearch fallthrough key="*", resulting
in the assigned RBL list of:

    sbl-xbl.spamhaus.org : relays.ordb.org : relays.mail-abuse.org : 
list.dsbl.org



it, unfortunately, took awhile for it to dawn on me that:

    $local_part
    $domain


are not yet available in the "connect" acl ... and that I have to move to a
later ACL.


since i've defined/use policy of:

    acl_smtp_connect             = acl_check_connect
    acl_smtp_helo                = acl_check_helo
    acl_smtp_mail                = acl_check_mail_from
    acl_smtp_mime                = acl_check_mime
    acl_smtp_rcpt                = acl_check_rcpt
    acl_smtp_data                = acl_check_data


acls, i'm fairly certain that including & after acl_smtp_rcpt i'm ok ...


so, yup. a huge waste of time. i probably shoulda known better. ESPECIALLY
for something like user identity. ANYWAY, i learned some lessons i won't
forget.

that said, i've a couple of questions:

(1) does a good reference table exists somewhere amidst all these mountains of
documentation that defines WHEN in the transaction each Exim variable is FIRST
available/defined

(2) is there a statement/definition of the order of execution of acls? i've
found a number of messages that admit "it's sometimes hard to
understand/remember", but haven;t (yet) found something definitive ...

(3) the obve example started with a global DNSBL check early, in _connect ACL,
presuming that its a high-value check that trades exim condition/filter cycles
for offloaded DNSBL checks ...

i'd STILL like to have the default behavior of my server be run the check early
in connect UNLESS i've a user-defined exception list. problem is, that the
moment i add the per-user specs, i HAVE to wait for the ID of the user ...
i.e., 'til the rcpt acl.

is there another approach that might give me BOTH the early default check, AND
the later per-user checks?

cheers!

richard