On 3 Jan 2006, at 13:43, Adrian wrote:
> Hi,
>
> I have a gateway mail server which scans and filters messages
> and then passes them onto an exim server... I've applied the
> following ACL on the exim server to stop it accepting any mail
> that isn't from the gateway or someone who has POP-before-SMTP'ed):
>
> deny hosts = !my-gatewayIP : !net-lsearch;/var/log/pop-ips.log
> message = Please deliver the message via MX - not directly to this
> server!
>
> It works sometimes - it blocked 82.253.73.79
> (lns-bzn-38-82-253-73-79.adsl.proxad.net)
> from sending some viruses directly to the hostname but it lets
> other messages through (eg from 203.154.117.2):
>
>>>> host in "!my-gatewayIP : !net-lsearch;/var/log/pop-ips.log"?
> no (failed to find host name for 203.154.117.2)
>>>> deny: condition test failed
>>>> processing "accept"
>
> The error is curious because I can find a hostname for that IP ....
> but regardless how do I stop it allowing by default?
>
does that mean that your server is sometimes an open relay? It would
seem so, as the accept presumably will allow relay once you have
passed the deny acl.
I would avoid double negation logic, it is always unclear.
So, while I am not saying anything on the error you got (are you sure
there are no hostnames somewhere in those lists/files?), let me
propose a different logic under some presumptions:
1) the gateway server accepts incoming email (that is email for local
domains but no submission emails) and then relays it to the local
exim server.
2) the local exim server accept incoming email from the gateway
server for local domains and email sumbissions (for local and remote
destinations) from hosts that have authenticated via pop first.
so:
accept domains = +local_domains
hosts = my-gatewayIP
(I hope the above hosts condition is correct as it is not strictly a
list...)
accept hosts = net-lsearch;/var/log/pop-ips.log"
deny message = relay forbidden
Giuliano