Auteur: W B Hacker Date: À: exim users Sujet: Re: [exim] ACL to drop connectio
Graeme Fowler wrote: > On Fri, 2010-06-11 at 13:09 -0400, W B Hacker wrote:
>> That's quite elegant! (Given one understands '0' means 'infinity' here)
>
> Thanks. For "Understanding" replace with "the documentation for this
> option states that" :)
>
>> But is it 'cheap'?
>
> Not as "cheap" as not doing the lookup, obviously. And if you had a
> bazillion hosts/netblocks in your hostlist it would probably be quite
> slow; but if you had that, you'd be doing it wrong.
>
> The fact that it acts before any SMTP processing is done makes it pretty
> lightweight. Given that recipient verification further down the
> transaction will cost many times more resources, deferring connections
> before you've even sent a banner is worth a lot.
>
> So yes - it's "cheap".
>
> Graeme
>
>
>
Here's another possible use:
Givens:
- a possible houseful of guests, coffee-shoppers, bookstore or airport WiFi hot
spot, or a business office full of folks who might attempt to *submit outbound*
simultaneously from the same shared IP:
- said IP may be dynamic, unsuited to direct entry into a hostlist as an IP
- but the port (587) is not dynamic
- shared link may be slower than a local, if not international backbone, ergo
time-on-teat longer and overlap probability higher
Might there be a value in granting an exemption for simultaneous connections
from one IP to the *submission* port (587) and wildcarding the (often dynamic) IP?