Re: [exim] time-of-day ACLs

Top Page
Delete this message
Reply to this message
Author: Yan Seiner
Date:  
To: exim-users
Subject: Re: [exim] time-of-day ACLs
Phil Pennock wrote:
> On 2009-06-16 at 08:17 -0700, Yan Seiner wrote:
>
>> I'd like to be able to deny access to specific users at specific times of
>> day.
>>
>> For example, user Joe might have access during the following hours (local
>> time):
>>
>> 0600-0745
>> 1700-1900
>> 2000-2145
>>
>> At times other than these Joe's access to the smtp server should be
>> denied. I'd like to be able to do this on a per-user basis.
>>
>
> So you will have a lookup on the $authenticated_id (since I'm guessing
> that's how you know it's Joe) that will return a list of timestamps.
> Call the results of that LOOKUP, let's assume it's colon-separated,
> looking like:
> 0600-0745:1700-1900:2000-2145
>
> Have the tool which generates the lookup normalise the times to GMT.
>
> You can then use $tod_zulu to get the current date and time in GMT as a
> sequence of digits followed by 'Z', and substr to extract the current
> time.
>
> Thus ${substr_8_4:$tod_zulu} yields the current time in an appropriate
> format.
>
> So the expression to check if the current time is within 0500 and 0600
> would be:
> ${if and{{>{${substr_8_4:$tod_zulu}}{0500}}{<{${substr_8_4:$tod_zulu}}{0600}}}}
>
> So, if this holds true for any of the time ranges in LOOKUP, then we can
> have a condition be true, otherwise false.
>
> Let's assume that you've made sure that each time-range is nine digits
> long, "0600-0745" and not validate that much; feel free to change the
> split logic according to your degree of trust in the DB building tools
> you have, but the simplest is to just use substring extraction again;
> ${substr_0_4:RANGE} and ${substr_5_4:RANGE} for the given timestamps.
>
>   ${if forany{LOOKUP}{and{\
>       {>{${substr_8_4:$tod_zulu}}{${substr_0_4:$item}}}\
>       {<{${substr_8_4:$tod_zulu}}{${substr_5_4:$item}}}\
>       }}}

>
> The value of $tod_zulu changes but it shouldn't affect the results much;
> reverse the order of the checks if you want to grant a few microseconds
> more leeway. ;)
>
> It's up to you to provide LOOKUP and use the result of the condition
> accordingly.
>
> -Phil
>
>

First of all, thanks for the help. It looks like it should be fairly
simple, but I can't get my head around it.... I'm trying to understand
how the acl stuff works. I can't figure out a way to show/log what exim
is doing.

I've boiled this down to a trivial example. I seem to be stuck,
though. At one time I had this working - it was refusing to let me send
mail. I made some changes, added the logwrite stuff, and now it
allows me to send mail and it doesn't log anything....

acl_smtp_auth:
        deny condition = ${if eq{$authenticated_id}{yan}}
                logwrite = user $authenticated_id not allowed access at 
this time


        accept
                logwrite = user $authenticated_id allowed access at this 
time


exim4 -bt apparently doesn't allow me to see what's going on with
authentication.... Is there any way to debug this?

--
Yan Seiner