hi all,
i'm migrating from a global DNSBL check to a per-user-specified list capability.
in summary, i've 3 questions
(1) when in the mail transaction is each Exim variable FIRST
available/defined?
(2) what is the order of execution of acls?
(3) how can do BOTH and acl_connect default/global DNSBL check, and a later
acl_rcpt per-user spec?
the rather lengthy details/context leading up to these questions follows below
... perhaps they'll help another, as well =)
if you've got a few minutes, shared wisdom is, as always, is appreciated!
thx!
richard
========================================
1st, defining my DNSBL check in an aux acl:
aux_check_dnsbl:
deny set acl_m9 = REJECTED[dnsbl] - \
BLACKLISTED:[$sender_host_address] \
@ $dnslist_domain ${if def:dnslist_text
{(\n$dnslist_text)}}
message = $acl_m9
log_message = LOG_HDR: $acl_m9
dnslists = MY_RBLS
accept
i started with:
(1) a global list of RBLs,
MY_RBLS = sbl-xbl.spamhaus.org : relays.ordb.org : relays.mail-abuse.org :
list.dsbl.org
...
acl_smtp_connect:
require acl = aux_check_dnsbl
works great.
(2) then adding an external per-user list of RBLs, with a fixed recipient
% cat LISTS/domains.dnsbls
bob@??? list.dsbl.org
alice@??? relays.ordb.org
* sbl-xbl.spamhaus.org : relays.ordb.org :
relays.mail-abuse.org : list.dsbl.org
testing a lookup with:
% exim -be '${lookup\
{alice@???}\
lsearch*@\
{LISTS/domains.dnsbls}\
}'
returns, as expected:
relays.ordb.org
and, then,
MY_RBLS = ${lookup\
{alice@???}\
lsearch*@\
{LISTS/domains.dnsbls}\
}
...
acl_smtp_connect:
require acl = aux_check_dnsbl
ALSO works as expected ...
(3) finally, moving to a looked-up recipient
MY_RBLS = ${lookup\
{${lc:$local_part@$domain}}\
lsearch*@\
{LISTS/domains.dnsbls}\
}
...
acl_smtp_connect:
require acl = aux_check_dnsbl
unfortunately, kept checking against the lsearch fallthrough key="*", resulting
in the assigned RBL list of:
sbl-xbl.spamhaus.org : relays.ordb.org : relays.mail-abuse.org :
list.dsbl.org
it, unfortunately, took awhile for it to dawn on me that:
$local_part
$domain
are not yet available in the "connect" acl ... and that I have to move to a
later ACL.
since i've defined/use policy of:
acl_smtp_connect = acl_check_connect
acl_smtp_helo = acl_check_helo
acl_smtp_mail = acl_check_mail_from
acl_smtp_mime = acl_check_mime
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acls, i'm fairly certain that including & after acl_smtp_rcpt i'm ok ...
so, yup. a huge waste of time. i probably shoulda known better. ESPECIALLY
for something like user identity. ANYWAY, i learned some lessons i won't
forget.
that said, i've a couple of questions:
(1) does a good reference table exists somewhere amidst all these mountains of
documentation that defines WHEN in the transaction each Exim variable is FIRST
available/defined
(2) is there a statement/definition of the order of execution of acls? i've
found a number of messages that admit "it's sometimes hard to
understand/remember", but haven;t (yet) found something definitive ...
(3) the obve example started with a global DNSBL check early, in _connect ACL,
presuming that its a high-value check that trades exim condition/filter cycles
for offloaded DNSBL checks ...
i'd STILL like to have the default behavior of my server be run the check early
in connect UNLESS i've a user-defined exception list. problem is, that the
moment i add the per-user specs, i HAVE to wait for the ID of the user ...
i.e., 'til the rcpt acl.
is there another approach that might give me BOTH the early default check, AND
the later per-user checks?
cheers!
richard
