Re: [exim-dev] ACL for outgoing connections?

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Heiko Schlittermann
Data:  
Para: exim-dev
Asunto: Re: [exim-dev] ACL for outgoing connections?
Jeremy Harris <jgh@???> (Mo 12 Mai 2014 16:42:02 CEST):
> On 12/05/14 15:26, Heiko Schlittermann wrote:
> >I'm just attending the "Mailserver Conference" in Berlin (gave a talk
> >about Exim as an MTA-Framework ;)
> >
> >One of the questions that I got: Can we somehow control how outgoing
> >connections continue in face of *any* condition?
> >
> >Somehow it fits again into the gap with checks for an outgoing TLS
> >connection, but in a more general way. So, basically it's the
> >continuation of my messages from last week :)
> >
> >(The actual question was: I'd like to tear down the outgoing connection
> >as soon as I'm faced with a specific (E)SMTP banner. -- Don't ask why.)
>
> That's a fairly esoteric need. I wish I was allowed to ask why :)


Lets say there is a farm of load balanced backend hosts behind the same
IP. Their load balancer maps the traffic round robin to the backends.
But unfortunenately some of the backend servers are "lame". As soon
as I see the SMTP banner, I can tell if it's one of the known lame
servers.

> I'd be tempted to refuse to have a separate acl option for each
> possible SMTP command, but to have only one which was passed the
> command line (now that ACLs can take arguments, it doesn't even
> need a global).


I'm lost a bit. What command line you're talking about?
How could it look like in the configuration?

> Perhaps the TCP connect and the TLS verify could also be regarded
> as events also for such a callback. I'm having a hard time
> guessing when you'd ever want the TCP connect one though.


Imagine this as a last measure before the doing real connection,
But, in fact, I do not have a real use case for this currently.
It's mainly provided for completeness :) - because I think, if we
start implementing "ACL for outgoing connections" we should do it
completly.

(During my talk on the conference I stressed the point, that the Exim
design does not assume anything about your problem and about the
solutions, it justs gives you the tools.)

> I do think we need some better justification for the facility.
> Perhaps an Experimental build feature.


Yes.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-