Re: [exim] Confusion about list search types

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: Bob Johnson
CC: exim-users
Sujet: Re: [exim] Confusion about list search types
On Mon, 14 Aug 2006, Bob Johnson wrote:

> Assume host_lookup = * for all of these, and I'm using Exim 4.60.


All host_lookup = * does is to force a lookup of the host name from the
IP address, regardless of whether or not the name is actually needed for
any tests. Otherwise, the name is looked up only when it is needed. So
the setting of host_lookup is not relevant to your questions below.

> First, the easy one:
>
> accept    hosts = +relay_from_hosts

>
> This, of course, works, but I'm not sure I understand what it is doing
> internally. Am I correct in believing the hosts condition is comparing the
> known IP number of the connected host to the IP numbers of the hosts listed
> in relay_from_hosts, doing DNS lookup to find the IP numbers if necessary?


Yes if you list host names in the list. No if you list wild cards such
as *.domain.example. This is explained in

http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch10.html#SECThostlist

> Now, if I do the following in an RCPT ACL:
>
> accept hosts = lsearch;/exim/whitelisted-hosts
>
> what happens if whitelisted-hosts is a list of fully qualified DNS names?
> Does it look those names up in DNS and find their IP numbers to compare to
> the connected host's IP number (which is what the Exim 4 book seems to be
> telling me)?


No. It does that if you have

accept hosts = /exim/white-listed-hosts

(see the subtle difference?). If you use lsearch (or any kind of
lookup), it searches the file for the host name, which it must find by
reverse DNS lookup.

http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch10.html#SECThoslispatnamsk

> The next one (again in an RCPT ACL) is
>
> accept hosts = iplsearch;/exim/whitelisted-IPs
>
> where whitelisted-IPs is file containing a list of IP numbers.


This will not work, because it won't ever find the host name in a list
of IP numbers.

> I expected this to compare the IP number of the connected host to the
> IP numbers in the file, in an intelligent way that understands
> netmasks, etc. Instead, I get a warning that I need to use
> net-iplsearch for this. Why must I use net-iplsearch instead of just
> iplsearch? net-iplsearch does what I want, but I don't understand why
> I need it.


Because the default for any lookup in a host list is to use the host
name as the key. [With hindsight, it might have been better to choose
the alternative, but it's too late now.] At the level where Exim is
processing the list, it does not know that iplsearch is designed for IP
addresses. It is "just another lookup" such as lsearch, dbm, cdb, or
whatever. There's internal interface between the main part of Exim and
the lookups (so it's easy to plug in new ones) and for these kinds of
lookup the interface is "pass over a key and a file name, get back a
string or 'not found'".

If you say

    hosts = lookup-type;/some/file


Exim passes over the host name as the key. If you say

    hosts = net-lookup-type;/some/file


Exim passes over the IP address as the key.

I fully accept that this is one of the rougher corners of Exim's design,
and could have been thought out better. Part of the background is that
this all "grew" as Exim developed. iplsearch is a relatively new lookup
type.

> Finally, if I use one of the above in something like:
>
> accept  set acl_m0 = Message arriving from a trusted host.
>         hosts = lsearch;/exim/whitelisted-hosts

>
> Does acl_m0 always end up with the text message assigned to it, or does it
> only get the assignment if the hosts condition is true and results
> in "accepted"? What if I change the order of the "set" and "hosts" lines?


It always gets set. If you change the order, it only gets set if the
condition is true. ACL conditions and modifiers are processed in order
until the outcome is known. The outcome is known either when a condition
is false, or the end of the list is reached (all conditions are true).

http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#id2664470

-- 
Philip Hazel            University of Cambridge Computing Service
Get the Exim 4 book:    http://www.uit.co.uk/exim-book