Re: [exim] authentication / relay

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] authentication / relay
Seth Dillingham wrote:
> On Thu, Apr 28, 2011 at 4:03 PM, W B Hacker<wbh@???> wrote:
>
>> Either exempt sampson from sender verify attempts, OR 'fix' sampson so it
>> CAN respond as expected.
>
>
> Pointing out again that I'm a n00b... I thought I had it turned off.
>
> If I switch the order of these two pieces in the ACL:
>
>    require verify        = sender

>
>    accept  hosts         = +relay_from_hosts
>            control       = submission
>            control       = dkim_disable_verify

>
> ... would that do what you're suggesting?
>
> Seth


We were all 'n00bs' at one time...

You will need to comment it out, not just relocate it.

You MAY want to comment-out the other two lines as well - I don't know
how you have the overall acl laid-out.

Exim's 'one time' debug feature is as good as it gets. Learn to use it,
and use it OFTEN.

Beyond that, and for day-to-day use, here's what I do - not to just make
Exim happy, but to make debug and editing faster and less error-prone
for the sysadmin (Ich):

.. in your ~/configure file:

1) Cleanly set apart each acl clause with '#' use. A bit of 'pseudo
language can remind you as to what it is SUPPOSED TO do. These won't
slow Exim down. They can save YOU time. Or whomever has to take over
three years out.

2) Name each acl clause including the smtp session 'phase' in which it
sits and operates.

3) include a 'logwrite = ' with text AND a code for said 'name'
Turn these ON when testing pre-production and early-days, comment them
OFF when all is working well, but leave them in place for next time.

NB: A 'logwrite' doesn't tell you if the acl has 'triggered', let alone
done what you intended. BUT - it does tell you the clause has been
'traversed' or evaluated, ie: - not skipped. AND attracts the Mark One
Eyeball (or 'grep') when looking for something related.

Grep on the code (C3, R4) not the text.

4) include one or more 'log_message =' that ALSO includes the 'code' for
the clause. A brief one can be left on permanently. A more detailed one
might be used for debugging only. The detailed one can place a copy of a
rather large number of variables - certainly the ones relevant to the
conditions and tests within that acl - into the log.


Debugging using the log is now easier because;

- you KNOW if an acl was looked at or skipped

- you SEE the variable values that it was presented with.

This is coupled with a 'log_selector = +all', so Exim itself is ratting
out all comers. Again - for debug, not production. ELSE you will have
massive log growth, especially under DDoS attack.

To keep log sizes reasonable, and content useful to YOUR needs, you'll
want to 'tune' what you log and do not log, plus comment-OFF the above
messages when their associated acl has reached the stage where it 'JFW'.

Examples:

Test:

log_selector = +all

Production (mine, anyway):

log_selector = +all -all_parents -queue_run -arguments -rejected_header
-host_lookup_failed

NB: host_lookup-failed should not generally be decluded.
I run a custom compile that has different messages, so it is redundant
in my case.

Here are some samples of the stle I use for 'named' acl's, wherein 'grep
<code>, with a code such as 'C3' finds all relevant messages, and
Ctrl-k-f <code> puts my editor-of-choice right on top of the clause I
may need to modify.

CAVEAT: the *content* and actions may have no use to you at all.

These are style samples, not 'Best Current Practice.'

====

# CONNECT_9: IF sending host LBL'ed THEN deny
#
deny
   # logwrite  = C9 checking $sender_host_name against LBL
   message     = $sender_host_name spammed us once. Once is all you get.
   log_message = C9 $sender_host_name Locally blacklisted.
   condition   = ${lookup {$sender_host_name}wildlsearch \
                  {var/mail/filters/REGEXP-block}{yes}{no}}


====

# FROM_4: IF Envelope-from LBL'ed, THEN deny
#
deny
   # logwrite  = F4 checking $sender_address against LBL
   condition   = ${lookup {$sender_address}wildlsearch \
                  {/var/mail/filters/REGEXP-block}{yes}{no}}
   log_message = F4 $acl_m3 Blacklisted exact From name



====

# RCPT_4: IF not a valid recipient here, THEN deny
#
deny
    # logwrite  = R4 is $local_part@$domain one of ours?
    !verify     = recipient
    message     = Mis-typed or Invalid address or wrong address format.
    log_message = R4 $local_part@$domain invalid address


====

# DATA_SCAN_4: IF message larger than SCAN_MAX, THEN warn
#
warn
    # logwrite  = DS4 is $message_size too big to scan?
    condition   = ${if >{$message_size}{SCAN_MAX} {true}}
    message     = X-Wincrobe-Not-Scanned: Message too large to scan.
    log_message = DS4 Not scanned - exceeds SCAN_MAX


===

HTH,


Bill