Re: [exim] Problem with TLS connection

Pàgina inicial
Aquest missatge és part del següent fil:
Ml'arbre de fils complet ordenat per data
M\Heiko Schlittermann en <-
MMAndreas Metzler en ->
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
A: exim users
Assumpte: Re: [exim] Problem with TLS connection
Hill Ruyter wrote:
> Thanks Bill
>
> Concise, informative and thorough as usual.
>
> I really wish I could get my head round the ACLs as you suggest since all
> my users do connect on 587 and do use TLS and do authenticate and ar just
> family and friends so are no problem to manage (from and MUA perspective)
> so everything else is subject to disdain, mistrust and general contempt.
> But, alas and alack I am yet to get my brain around doing all the clever
> things often referred to in here and the Debian-ness of my server it seems
> makes me a bit of a black sheep when it comes to what to do configuration
> wise.
>
> Thanks again everyone for their help though in getting me up and running
> again
>
> Yours
>
> Hill
>
*snip** ( my thorough? Maybe. But anything BUT 'concise' post..)

W/r the acl's. Study Forth - they look and work just like a 'case of..'

;-)

...more seriously ...

One of the best friends you can have for clarity, simplicity, and
readability, is the NOT'ed or inverted '!condition ='

- as samll individual bites, they can exit earlier than complex
monoliths, and in predictable and easily re-ordered sequence.

- they can readily be *stacked* instead of nested, making #commenting
them in or out of the chain SO much simpler than revising complex nested
conditionals and test, test, test....

An example - rDNS check with multiple prior exemptions in descending
order of their likelihood:

====

deny
!condition = ${if eq{$interface_port}{587}}
# bails immediately for our own (probable) submission Lusers [1] 

!hosts     = : +relay_from_hosts
# and/or skip check of cron reports from boxen with no <domain>.<tld>


!condition = ${lookup{$sender_address}lsearch{/path/VIP-pass}}
# skips whitelisted MTA we forgive despite rDNS fail 

!verify    = reverse_host_lookup
# 'NOT' meaning trigger the deny if verification *fails*


====

HTH,

Bill

[1] a positive conditional also works in this stack position, as in; 

    condition   = ${if eq{$interface_port}{25}}


Which excludes 587, 465, and *other* custom Luser-submission ports used
to get around firewalls. If any.


Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-Re: [exim] Exim 5.xRe: [exim] admin defined queue [was Exim 5.x]->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)