Tony Finch wrote:
> On Mon, 2 Jun 2008, Russell Wilton wrote:
>
>> OK, here is the section of my acl_smtp_rcpt ACL where the problem occurs:
>>
>
> Thanks.
>
>
>> # Reject if sender is listed with Spamhaus DNSBL
>>
>> deny message = $sender_host_address is listed at $dnslist_domain; See $dnslist_text
>> log_message = BLOCKED - Spamhaus: $sender_host_address -> $dnslist_value
>> log_reject_target = reject
>> dnslists = zen.spamhaus.dnsbl
>> delay = 30s
>>
>> # Reject if sender HELOed with an invalid name: it must have one or more
>> # non-dot characters, a dot and another one or more non-dots.
>>
>> deny message = Invalid hostname detected in HELO: $sender_helo_name
>> log_message = BLOCKED - Invalid hostname
>> condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N} {0} {1}}
>> delay = 30s
>>
>> # Reject if sender HELOed as our uleth.ca domain name
>>
>> deny message = Forged hostname detected in HELO: $sender_helo_name
>> log_message = BLOCKED - Forged hostname
>> condition = ${if eq{$sender_helo_name}{uleth.ca} {1} {0}}
>> delay = 30s
>>
>> If the sender is listed with Spamhaus the rejection is logged only in
>> the reject log file, as specified by the log_reject_target modifier.
>>
>> If the sender is not listed with Spamhaus but does HELO with an invalid
>> name, it is also logged only in the reject log even though there is no
>> log_reject_target in that stanza.
>>
>
> That makes sense.
>
>
>> If both of those fall through, but the sender HELOs with my domain name,
>> it is logged in both the main and reject logs as expected.
>>
>
> But I don't understand how that can happen.
>
>
You're right. It doesn't happen. Sorry for the mis-information. I was
confused by another ACL stanza elsewhere that generates the same log
message.
>> So, it seems that the value of log_reject_target does not get reset to
>> the default at the start of the second deny stanza. Am I supposed to
>> set it back to the default with a log_reject_target modifier in that
>> stanza? I haven't tried that.
>>
>
> The way it works is that the log_reject_target is reset to the default at
> the start of each whole ACL. The setting gets changed only when a
> log_reject_target ACL modifier is executed. This means that if you put the
> modifier at the start of an ACL clause then it will always take effect -
> which is why yours is unexpectedly altering your "invalid hostname"
> blocks. I don't know why it isn't altering your "forged hostname" blocks.
>
> ACL message and log_message modifiers are the only ones that are best put
> out-of-order at the start of an acl clause, because executing them just
> involves making note of the string to use if the clause has an effect, and
> it's easier to avoid confusion with different ACL verb shortcutting
> behaviour if you always put message modifiers first.
>
> Hope this (partial) explanation helps.
>
> Tony.
>
Thanks for clearing that up. I had assumed the log_reject_target
applied only to the stanza it appeared in, not the entire ACL. Maybe
that could be clarified in the manual.
So, I have solved the problem by just putting the log_reject_target
modifier after the dnslists condition so it only takes effect if that
deny verb is executed, thus ending the execution of the ACL.
I've always been a little fuzzy about how ACLs are executed. I think I
understand it quite a bit better now. Thanks a lot.
Russ
--
Russell D. Wilton E-Mail: wilton(at)uleth.ca
Info Tech Systems Analyst Voice: (403) 329-2525
University of Lethbridge FAX: (403) 382-7108
4401 University Drive Lethbridge, Alberta, CANADA T1K 3M4
