Author: Graeme Fowler Date: To: exim-users Subject: Re: [exim] How about an ACL before connecting?
On Mon, 2006-12-25 at 17:29 -0800, Marc Perkel wrote: > This would be a great feature unless it's already in there and I missed it.
>
> I'd like an ACL that ran when a host attempts to connect but Exim hasn't
> yet established a connection so I can test the IP address against a
> black list or rDNS and decide not to connect at all instead od
> connecting and returning a code at all.
This cannot be done at the application level [most of the time, before
anyone points out apps which hook netfilter/pf/firewall variants] - the
application has to establish a connection via the TCP three-way
handshake before it can decide whether or not to process a connection at
all.
However - you do have one or two ways to proceed, depending on OS. As
mentioned by Renaud, there's the BSD pf "redirect" feature.
Using Linux you might be able to use TCP Wrappers (if you compiled Exim
to support it), making use of the extended commands - see "man
hosts_options" and look for the "spawn shell_command" section. You might
be able to make it work to do what you want, but then again you might
not in a high load situation.
Alternatively there's iptables, but how you'd manage to trigger a lookup
to drop the host I have no idea.
Either way, you have to do it before it gets to Exim. As far as I can
tell, anyway - it is Boxing Day after all :)