Discussion:
hostlist, net-lsearch and negative items
Wolfgang Hennerbichler
2007-10-10 18:37:04 UTC
Permalink
Hi list,

I'm encountering a problem where I currently don't find a solution for.
I've used a host-list-file in an ACL that worked perfectly for me.
Now I want to integrate that host-list-file in a 'hostlist', because
I want to re-use it in a router.

The file looks like this (example IP's):

cat /etc/exim4/relay_access
!10.0.0.1
10.0.0.0/8

basically I want to prevent 10.0.0.1 from relaying. So I have this ACL:
accept hosts = /etc/exim4/relay_access
which works. As I want to re-use that list in a router, I'd like to
put it in a host-list. So I have thought of something like this:

hostlist relay_from_hosts = net-lsearch;/etc/exim4/relay_access
or
hostlist relay_from_hosts = net-iplsearch;/etc/exim4/relay_access

this works too, except for the negative item. The 10.0.0.1 IP address
would be allowed relay access, if I used the hostlist
relay_from_hosts in my ACL. It seems as if the "!" is simply no
longer a negation but a string in this case.

I expected the solution to be easy, but right now I'm stuck. Am I
missing something? Is there a way to re-use the information in that
file in a router?

Thanks for any replies.

wogri
--
***@wogri.com
http://www.wogri.com
http://www.einradfilm.at
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
W B Hacker
2007-10-10 19:30:32 UTC
Permalink
Post by Wolfgang Hennerbichler
Hi list,
I'm encountering a problem where I currently don't find a solution for.
I've used a host-list-file in an ACL that worked perfectly for me.
Now I want to integrate that host-list-file in a 'hostlist', because
I want to re-use it in a router.
cat /etc/exim4/relay_access
!10.0.0.1
10.0.0.0/8
accept hosts = /etc/exim4/relay_access
which works. As I want to re-use that list in a router, I'd like to
hostlist relay_from_hosts = net-lsearch;/etc/exim4/relay_access
or
hostlist relay_from_hosts = net-iplsearch;/etc/exim4/relay_access
this works too, except for the negative item. The 10.0.0.1 IP address
would be allowed relay access, if I used the hostlist
relay_from_hosts in my ACL. It seems as if the "!" is simply no
longer a negation but a string in this case.
I expected the solution to be easy, but right now I'm stuck. Am I
missing something? Is there a way to re-use the information in that
file in a router?
Thanks for any replies.
wogri
We do almost the identical thing as your pre-hostlist example.

But having never thought to apply the 'negation' simply maintain two files,

~/IP-block and ~/IP-pass

Plus another set for HELO and FQDN strings ~/REGEXP-pass & ~/REGEXP-block

Why not a 'hostlist'?

- Routers and acl's are just as happy with flat files or DB calls.

- We don't want to trigger a DNS lookup on IP's that are either known to not
HAVE a DNS record, HELO or FQDN strings known to be forged, or either type that
are to be blocked unconditionally in any case.

Likewise easier for the 'wetware' to remember what is what - not to mention
privileges isolation as to editing, updating...

CAVEAT: AFAIK hostlists AND DNS lookups are cached by Exim, but results of SQL
or flat-file reads are NOT. So there can be a performance hit.

HTH,

Bill Hacker
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Wolfgang Hennerbichler
2007-10-10 20:37:24 UTC
Permalink
Post by W B Hacker
Post by Wolfgang Hennerbichler
cat /etc/exim4/relay_access
!10.0.0.1
10.0.0.0/8
accept hosts = /etc/exim4/relay_access
which works. As I want to re-use that list in a router, I'd like to
We do almost the identical thing as your pre-hostlist example.
But having never thought to apply the 'negation' simply maintain two files,
....
before you replied, I decided to do something different - don't know
if this is considered hack-ish or not:
I set an ACL variable if somebody is actively relaying. I do this
with one simple line in the ACL:

accept hosts = /etc/exim4/relay_access
set acl_c1 = true

so now I can deal with this variable in my router-condition:

condition = ${if and { {!eq {$received_protocol}{spam-scanned}} {<
{$message_size }{300K}} {!eq {$acl_c1}{true}} } }

I hope this is "a good way" to do this.
Post by W B Hacker
CAVEAT: AFAIK hostlists AND DNS lookups are cached by Exim, but results of SQL
or flat-file reads are NOT. So there can be a performance hit.
the file is very small (not more than 10 lines). I rely on OS-Caching
to not make that my performance bottleneck.

thanks for your reply;
wogri
--
***@wogri.com
http://www.wogri.com
http://www.einradfilm.at
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
W B Hacker
2007-10-10 21:31:29 UTC
Permalink
Post by Wolfgang Hennerbichler
Post by W B Hacker
Post by Wolfgang Hennerbichler
cat /etc/exim4/relay_access
!10.0.0.1
10.0.0.0/8
accept hosts = /etc/exim4/relay_access
which works. As I want to re-use that list in a router, I'd like to
We do almost the identical thing as your pre-hostlist example.
But having never thought to apply the 'negation' simply maintain two files,
....
before you replied, I decided to do something different - don't know
I set an ACL variable if somebody is actively relaying. I do this
accept hosts = /etc/exim4/relay_access
set acl_c1 = true
condition = ${if and { {!eq {$received_protocol}{spam-scanned}} {<
{$message_size }{300K}} {!eq {$acl_c1}{true}} } }
I hope this is "a good way" to do this.
Dunno if all here would consider it such, but whatever gets the job done.

JFWIW, I'm using *far* more complex acl_[c|m] variable handling, such as
iterating thru the recipients to SELECT, adjust, and store both the
most-tolerant and least-tolerant preference integers of the recipients specified
for a given message.

On arrival to DATA phase, I am carrying MIN and MAX tolerance thresholds for
that ad hoc group.

If the *message* has then scored below MIN when RFC, rDNS, HELO, etc 'demerits'
+ SA's spam_int scores are summed, accept for all.

If above MAX deny for all.

If in between MIN MAX, then 'fakereject' and distribute per prefs in routers -
some normal Inbox, some quarantined, some blackholed.

Doesn't *quite* cover true individualized per-recipient handling post DATA
phase, but does give an in-session message, so no need for post-smtp-session
potentially-collateral-spam bounce generation.
Post by Wolfgang Hennerbichler
Post by W B Hacker
CAVEAT: AFAIK hostlists AND DNS lookups are cached by Exim, but results of SQL
or flat-file reads are NOT. So there can be a performance hit.
the file is very small (not more than 10 lines). I rely on OS-Caching
to not make that my performance bottleneck.
Hadn't thought of that, but sure - given the 2 to 4 GB GB of RAM we run, it
probably would do..
Post by Wolfgang Hennerbichler
thanks for your reply;
wogri
Not only does 'one hand wash the other' here, but even an off-the-wall thought
can trigger a better one...

As time-zones change, we'll no doubt hear several better ways yet...

Bill Hacker
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Loading...