Re: [exim] acl black art help wanted

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] acl black art help wanted
Hill Ruyter wrote:
>
>> -----Original Message-----
>> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org]
>> On Behalf Of Ian Eiloart
>> Sent: 18 May 2009 10:51
>> To: W B Hacker; exim users
>> Subject: Re: [exim] acl black art help wanted
>>
>>
>>
>> --On 17 May 2009 13:40:46 +0800 W B Hacker <wbh@???> wrote:
>>
>>>> Clearly my PC client cant have a verified HELO
>>>> So how do I make the list ignore authenticated hosts ?
>>>>
>> You might want to think about running two servers. One for inbound
>> mail,
>> and one for message submission from authenticated hosts. The
>> configuration
>> for the latter should be simpler, since you can replace most anti-spam
>> measures with rate-limiting measures.
>>
>> Given that the security model is quite different for authenticated
>> accounts
>> versus incoming mail, we've found it simpler to separate the
>> configurations.
>>
> Do you mean running two physical servers or is there an easy way to run two
> instances of exim on the same physica machine
>
> I do not have the resources to run a second physical machine.
>
> Hill


Some confusion here with trimming....

Hacker sez one server, separated by the incoming interface_port.

Eiloart (or someone impersonating 'im) suggest two 'servers'.

We'd both tell you that can be two 'instances' on the same box, same IP,
different ports. Seperate IP are better if you have 'em, 'coz you can do R&D
test traffic w/o involving the outside world. Or even having a CAT5 plugged-in.

- One listening to 25 and handling 'incoming' traffic (outside world to 'local'
delivery), Another one listening on 587 to your own clients ONLY for 'local to
outside-world delivery (and some local).

See also 'acl_not_smtp' because any traffic originating from a 'shell' account
that sends by invoking a binary does not *have* an 'smtp' session - hence does
not go through the same 'phases' (connect, helo, mail-from, recpt-to, data).

EX: The 'Prayer' webmail daemon from U Cambridge operates this way, hence needs
access to an smtp 'sender' binary on-box. ISTR the 'Mailman' MLM also connects
this way - 'cross-box' without the full smtp session. If not, I'll be chastised
'shortly'.

*As either skips the 'acl_smtp_<whatever> chain, one 'may' need special rules in
acl_not_smtp, for virus-checking, size limiting, etc.*

The Webmail that is part of Webmin/Usermin, OTOH, can be on an unrelated box, as
it DOES run a 'normal' smtp session - same-box OR remote box. Likewise the
'Ecartis' MLM, which runs a normal smtp session even when on the same box as the
MTA it is working with.

Pros and cons to both approaches.

KISS until RATRUMP.

;-)

Bill

>
>
>
>> --
>> Ian Eiloart
>> IT Services, University of Sussex
>> 01273-873148 x3148
>> For new support requests, see http://www.sussex.ac.uk/its/help/
>>
>> --
>> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>