Hill Ruyter wrote:
> Thanks Bill
>
> Concise, informative and thorough as usual.
>
> I really wish I could get my head round the ACLs as you suggest since all
> my users do connect on 587 and do use TLS and do authenticate and ar just
> family and friends so are no problem to manage (from and MUA perspective)
> so everything else is subject to disdain, mistrust and general contempt.
> But, alas and alack I am yet to get my brain around doing all the clever
> things often referred to in here and the Debian-ness of my server it seems
> makes me a bit of a black sheep when it comes to what to do configuration
> wise.
>
> Thanks again everyone for their help though in getting me up and running
> again
>
> Yours
>
> Hill
>
*snip** ( my thorough? Maybe. But anything BUT 'concise' post..)
W/r the acl's. Study Forth - they look and work just like a 'case of..'
;-)
...more seriously ...
One of the best friends you can have for clarity, simplicity, and
readability, is the NOT'ed or inverted '!condition ='
- as samll individual bites, they can exit earlier than complex
monoliths, and in predictable and easily re-ordered sequence.
- they can readily be *stacked* instead of nested, making #commenting
them in or out of the chain SO much simpler than revising complex nested
conditionals and test, test, test....
An example - rDNS check with multiple prior exemptions in descending
order of their likelihood:
====
deny
!condition = ${if eq{$interface_port}{587}}
# bails immediately for our own (probable) submission Lusers [1]
!hosts = : +relay_from_hosts
# and/or skip check of cron reports from boxen with no <domain>.<tld>
!condition = ${lookup{$sender_address}lsearch{/path/VIP-pass}}
# skips whitelisted MTA we forgive despite rDNS fail
!verify = reverse_host_lookup
# 'NOT' meaning trigger the deny if verification *fails*
====
HTH,
Bill
[1] a positive conditional also works in this stack position, as in;
condition = ${if eq{$interface_port}{25}}
Which excludes 587, 465, and *other* custom Luser-submission ports used
to get around firewalls. If any.
