Wolfgang Hennerbichler wrote:
> Hi list,
>
> I'm encountering a problem where I currently don't find a solution for.
> I've used a host-list-file in an ACL that worked perfectly for me.
> Now I want to integrate that host-list-file in a 'hostlist', because
> I want to re-use it in a router.
>
> The file looks like this (example IP's):
>
> cat /etc/exim4/relay_access
> !10.0.0.1
> 10.0.0.0/8
>
> basically I want to prevent 10.0.0.1 from relaying. So I have this ACL:
> accept hosts = /etc/exim4/relay_access
> which works. As I want to re-use that list in a router, I'd like to
> put it in a host-list. So I have thought of something like this:
>
> hostlist relay_from_hosts = net-lsearch;/etc/exim4/relay_access
> or
> hostlist relay_from_hosts = net-iplsearch;/etc/exim4/relay_access
>
> this works too, except for the negative item. The 10.0.0.1 IP address
> would be allowed relay access, if I used the hostlist
> relay_from_hosts in my ACL. It seems as if the "!" is simply no
> longer a negation but a string in this case.
>
> I expected the solution to be easy, but right now I'm stuck. Am I
> missing something? Is there a way to re-use the information in that
> file in a router?
>
> Thanks for any replies.
>
> wogri
>
We do almost the identical thing as your pre-hostlist example.
But having never thought to apply the 'negation' simply maintain two files,
~/IP-block and ~/IP-pass
Plus another set for HELO and FQDN strings ~/REGEXP-pass & ~/REGEXP-block
Why not a 'hostlist'?
- Routers and acl's are just as happy with flat files or DB calls.
- We don't want to trigger a DNS lookup on IP's that are either known to not
HAVE a DNS record, HELO or FQDN strings known to be forged, or either type that
are to be blocked unconditionally in any case.
Likewise easier for the 'wetware' to remember what is what - not to mention
privileges isolation as to editing, updating...
CAVEAT: AFAIK hostlists AND DNS lookups are cached by Exim, but results of SQL
or flat-file reads are NOT. So there can be a performance hit.
HTH,
Bill Hacker
