Re: [exim] hostlist, net-lsearch and negative items

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] hostlist, net-lsearch and negative items
Wolfgang Hennerbichler wrote:
> On 10.10.2007, at 21:30, W B Hacker wrote:
>> Wolfgang Hennerbichler wrote:
>>> The file looks like this (example IP's):
>>>
>>> cat /etc/exim4/relay_access
>>> !10.0.0.1
>>> 10.0.0.0/8
>>>
>>> basically I want to prevent 10.0.0.1 from relaying. So I have this  
>>> ACL:
>>>    accept  hosts         =  /etc/exim4/relay_access
>>> which works. As I want to re-use that list in a router, I'd like to
>>> put it in a host-list. So I have thought of something like this:
>> We do almost the identical thing as your pre-hostlist example.

>>
>> But having never thought to apply the 'negation' simply maintain
>> two files,
>> ....
>
> before you replied, I decided to do something different - don't know
> if this is considered hack-ish or not:
> I set an ACL variable if somebody is actively relaying. I do this
> with one simple line in the ACL:
>
> accept  hosts         = /etc/exim4/relay_access
>            set acl_c1    = true

>
> so now I can deal with this variable in my router-condition:
>
> condition = ${if and { {!eq {$received_protocol}{spam-scanned}} {<
> {$message_size }{300K}} {!eq {$acl_c1}{true}} } }
>
> I hope this is "a good way" to do this.


Dunno if all here would consider it such, but whatever gets the job done.

JFWIW, I'm using *far* more complex acl_[c|m] variable handling, such as
iterating thru the recipients to SELECT, adjust, and store both the
most-tolerant and least-tolerant preference integers of the recipients specified
for a given message.

On arrival to DATA phase, I am carrying MIN and MAX tolerance thresholds for
that ad hoc group.

If the *message* has then scored below MIN when RFC, rDNS, HELO, etc 'demerits'
+ SA's spam_int scores are summed, accept for all.

If above MAX deny for all.

If in between MIN MAX, then 'fakereject' and distribute per prefs in routers -
some normal Inbox, some quarantined, some blackholed.

Doesn't *quite* cover true individualized per-recipient handling post DATA
phase, but does give an in-session message, so no need for post-smtp-session
potentially-collateral-spam bounce generation.


>
>> CAVEAT: AFAIK hostlists AND DNS lookups are cached by Exim, but
>> results of SQL
>> or flat-file reads are NOT. So there can be a performance hit.
>
> the file is very small (not more than 10 lines). I rely on OS-Caching
> to not make that my performance bottleneck.
>


Hadn't thought of that, but sure - given the 2 to 4 GB GB of RAM we run, it
probably would do..


> thanks for your reply;
> wogri
>



Not only does 'one hand wash the other' here, but even an off-the-wall thought
can trigger a better one...

As time-zones change, we'll no doubt hear several better ways yet...

Bill Hacker