Author: W B Hacker Date: To: exim users Subject: Re: [exim] Limiting incoming connections on a per-domain basis
Steve Sobol wrote: > On Fri, 22 Sep 2006, W B Hacker wrote:
>
>
>>May be just my contrarian view of semantics, but I interpret that as:
>>
>>"Accept mail for (most) domains from any source."
>>
>>"Accept mail from (certain specific) domains ONLY from (one, or a short
>>list of) specific IP(s).
>
>
> 100% correct, but I forgot to mention that the restricted domains still
> need to be able to accept authenticated connections from anywhere.
>
> But I think the method you're describing should be extensible to
> authenticated connections pretty easily. I am going to try it.
>
> Thanks,
> Steve
>
Oh, we DO that.
Specifically, we check for relay_hosts and 'authenticated' *first*, even using
separate (non-standard) ports and protocols to give our Mac & *BSD users a leap
right over SA checking, while scanning both of our remaining Win-Lusers traffic
in both directions to protect others.
acl_(x) as flags are very handy when the action must take place in a different
smtp-phase than the detection, AND/OR the 'detection' tests are multi-part or
modified by other events.
If there is a limit to Exim's flexibility, I have yet to hit it...