Re: [exim] Help with exim acls

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Help with exim acls
sysadmin wrote:
> Hi,
>
> I try to follow your recomendation, and setup some acls from
> http://www.tldp.org/HOWTO/text/Spam-Filtering-for-MX
>


The configuration cited incorpates a number of novel concepts that require very
consistent integration and may not all be appropriate in your environment.

Take these, or any other 'borrowed' configuration settings as examples, not
gospel, until you have tested them, gained a better understanding of what the
interactions are, and modifed them to work apropriately with other parts of your
configuration.

> With new acls , I can't receive mail from external hosts:
>
> Jul 11 20:16:36 scadufax exim[21272]: 2006-07-11 20:16:36 SMTP connection from
> [200.195.199.2]:56212 I=[10.0.0.151]:25 (TCP/IP connection count = 1)
> Jul 11 20:16:37 scadufax exim[21916]: 2006-07-11 20:16:37 H=ns2.onda.com.br
> (maresia.onda.com.br) [200.195.199.2]:56212 I=[10.0.0.151]:25 Warning: remote
> host presented unverifiable HELO/EHLO greeting.
> Jul 11 20:16:58 scadufax exim[21947]: 2006-07-11 20:16:58
> cwd=/var/spool/mqueue 2 args: /usr/sbin/exim -q
> Jul 11 20:16:58 scadufax exim[21947]: 2006-07-11 20:16:58 Start queue run:
> pid=21947
> Jul 11 20:16:58 scadufax exim[21947]: 2006-07-11 20:16:58 End queue run:
> pid=21947
> Jul 11 20:17:17 scadufax exim[21916]: 2006-07-11 20:17:17 H=ns2.onda.com.br
> (maresia.onda.com.br) [200.195.199.2]:56212 I=[10.0.0.151]:25
> F=<marlon@???> rejected RCPT <marlon@???>


Find that 'deny' verb and change it to a warn temporarily.

What helps for finding and editing these fast is to add:

- a acl ID or number to the comments of each acl set

BOTH

- a logwrite = <acl ID> <action>

- a log_message = <acl ID> <whatever else you need>

This will give you a lot more log entries than you will want to keep active once
in production, but will make it much easier to ID:

- which acl is being traversed (at all), because a 'logwrite' can be unconditional.

- if it has 'activated', because a log_message can be conditional.

(pay attention to the order in which they are placed within the acl!)

When you edit, you can rapidly search on the coomented ID you have assigned:
(CONNECT_3, RECPT_4, DATA_2) to jump directly to the specific acl code you wish
to examine/modify.

*snip*

Example:

     # RECPT_N  added for unique identification

> # Deny if we have previously given a reason for doing so in $acl_m0.
> # Also stall the sender for another 20s first.
> #
> deny

      logwite      = RECPT_N deny on prior flag

>    message     = $acl_m0
>    log_message = RECPT_N $acl_m1
>    condition   = ${if and {{def:acl_m0}{def:acl_m1}} {true}}
>    delay       = 20s

>


*snip*

FWIW, HELO/EHLO very often do not have an exact match to anything in a DNS, and
the gadzillions of domains using NetSol mail hosting *never* will - so a 'hard'
deny is not a good idea on that basis alone.

A delay (only) of 60 seconds or so, however, will cause many such that are
zombies to abandon the connection. 20s seldom works as well as 30s or more.

HTH,

Bill