Re: [exim] ACL blocking & senders conditional check?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Betreff: Re: [exim] ACL blocking & senders conditional check?
Hi Paul,

Paul Key via Exim-users <exim-users@???> (Mi 19 Mai 2021 16:41:49 CEST):
> Hi,
>
> Using an acl_check_rcpt in exim.conf we are trying to both block and whitelist incoming email addresses in the same acl.
>
> Currently we have:
>
> deny message = $sender_host_address is listed in user blocking list
>
> condition = ${lookup {$sender_address}wildlsearch{/etc/exim/whitelist.senders} {no}{yes}}
> condition = ${lookup {$sender_address}wildlsearch{/etc/exim/blocking_list} {yes}{no}}
>
> in whitelist.senders we have an email address "example@???" which we want to allow through but in blocking_list we have an entry "*@*.cloud".
> So first we check the whitelist - which matches in the case of receiving an email from "example@???" but if no match then should move onto the blocking_list.


yes, and if there is a match, your lookup returns "no", which should
stop processing *this* ACL block

> However it looks like the acl is just evaluating the first condition and not processing the second condition whatever the condition result is.


How can you tell? Did you test debugging this? The simplest way is doing
something like

        swaks -q rcpt -f example@??? -t foo@??? --pipe 'exim -bh 0.0.0.0'


> Is their syntax for an ACL something like:
> If <this condition> AND NOT <that condition>
>
> To provide one evaluation result for acl_check_rcpt searching both a blocking_list and a whitelist?


The expressions of a "block" are evaluated in order, *until* an
expression returns "false". If all expressions return true, the block's
verb is executed, otherwise ACL processing jumps to the next block.

Exceptions are
- the verb "require": if *all* expressions are true, the processing
continues with the next block, otherwise an error (e.g. 5xx) is
returned.
- the expression "endpass"


I used the following example config:

    acl_smtp_rcpt = acl_check_rcpt
    begin acl
    acl_check_rcpt:
            deny  
            message = $sender_host_address is listed in user blocking list          
            condition = ${lookup {$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
            condition = ${lookup {$sender_address}wildlsearch{$config_dir/blocking_list} {yes}{no}}


With these additional files:
        # whitelist.senders
        foo@???


        # blocking_list
        *@*.com


and ran the following command

        swaks  -f 'foo@???' -t bar@??? --pipe 'exim -C /tmp/x.conf -bh 0.0.0.0' -q rcpt


which produced this output (as expected):

    …
    <-  250-SMTPUTF8
    <-  250 HELP
     -> MAIL FROM:<foo@???>
    <-  250 OK
     -> RCPT TO:<bar@???>
    >>> using ACL "acl_check_rcpt"
    >>> processing "deny" (/tmp/x.conf 6)
    >>>   message: $sender_host_address is listed in user blocking list
    >>> foo@??? in "foo@???"? yes (matched "foo@???")
    >>> check condition = ${lookup {$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
    >>>                 = no
    >>> deny: condition test failed in ACL "acl_check_rcpt"
    >>> end of ACL "acl_check_rcpt": implicit DENY
    LOG: H=(x1.schlittermann.de) [0.0.0.0] F=<foo@???> rejected RCPT <bar@???>
    <** 550 Administrative prohibition
     -> QUIT
    <-  221 x1 closing connection
    === Connection closed with child process.




    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -