Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

ACL Question

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


joe at doehler

Nov 18, 2009, 7:07 PM

Post #1 of 10 (1151 views)
Permalink
ACL Question
I have been using Exim for 10+ years as a hobbyist, but I have never
touched the ACL until this week: I have been doing all my filtering in
"local_scan()". My first try at using the ACL does not work. Because all
the outgoing mail from my domain originates from a local network, I am
trying to deny mail with the following properties:
- Source from public IP addresses
- And return address that uses my domain name, that I consider spoofed.

In the "acl_check_rcpt" section, I write:
deny message = Some message
domains = +local_domains
hosts = !+relay_from_hosts

What results from this is that all mail from public IP addresses is
denied - not the intent. I am missing something elementary, but I do not
know what it is. Help would be appreciated.

If this helps, here is the list definition:

domainlist local_domains = @ : localhost : mylastname.us :
localhost.localdomain
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8

TIA - Joe.


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Nov 18, 2009, 7:20 PM

Post #2 of 10 (1114 views)
Permalink
Re: ACL Question [In reply to]
On 2009-11-18 at 22:07 -0500, Joe Doehler wrote:
> I have been using Exim for 10+ years as a hobbyist, but I have never
> touched the ACL until this week: I have been doing all my filtering in
> "local_scan()". My first try at using the ACL does not work. Because all
> the outgoing mail from my domain originates from a local network, I am
> trying to deny mail with the following properties:
> - Source from public IP addresses
> - And return address that uses my domain name, that I consider spoofed.
>
> In the "acl_check_rcpt" section, I write:
> deny message = Some message
> domains = +local_domains
> hosts = !+relay_from_hosts
>
> What results from this is that all mail from public IP addresses is
> denied - not the intent. I am missing something elementary, but I do not
> know what it is. Help would be appreciated.

"domains" tests the _recipient_ domain. You want to test the _sender_
domain.

Try:

deny message = Some message
condition = ${match_domain{$sender_address_domain}{+local_domains}}
hosts = !+relay_from_hosts

As a safety measure, it might be worth listing @[] in the definition of
relay_from_hosts.

Regards,
-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


joe at doehler

Nov 18, 2009, 8:40 PM

Post #3 of 10 (1110 views)
Permalink
Re: ACL Question [In reply to]
Phil Pennock wrote:
...
> Try:
>
> deny message = Some message
> condition =
${match_domain{$sender_address_domain}{+local_domains}}
> hosts = !+relay_from_hosts
>
...

Thanks for your reply.

I get this error message from Exim:
"${match_domain" is not a known operator

I am working with Exim 4.69. This is puzzling, as the "match_domain"
operator appears to have been there even in earlier versions.

Joe.





--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Nov 18, 2009, 8:44 PM

Post #4 of 10 (1112 views)
Permalink
Re: ACL Question [In reply to]
On 2009-11-18 at 23:40 -0500, Joe Doehler wrote:
> Phil Pennock wrote:
> ...
> > Try:
> >
> > deny message = Some message
> > condition =
> ${match_domain{$sender_address_domain}{+local_domains}}
> > hosts = !+relay_from_hosts
> >
> ...
>
> Thanks for your reply.
>
> I get this error message from Exim:
> "${match_domain" is not a known operator
>
> I am working with Exim 4.69. This is puzzling, as the "match_domain"
> operator appears to have been there even in earlier versions.

Sorry, my mistake (hastiness): match_domain is an expansion condition.
It needs to be after an if (or within the branches of and/or).

condition = ${if match_domain{$sender_address_domain}{+local_domains}}

-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


joe at doehler

Nov 18, 2009, 9:14 PM

Post #5 of 10 (1113 views)
Permalink
Re: ACL Question [In reply to]
Phil Pennock wrote:
> Sorry, my mistake (hastiness): match_domain is an expansion condition.
> It needs to be after an if (or within the branches of and/or).
>
> condition = ${if match_domain{$sender_address_domain}{+local_domains}}
>
> -Phil
I must say that the functions you are using are rather obscure, but your
latest syntax seems to work. Thanks a lot.

Joe.




--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Nov 18, 2009, 9:44 PM

Post #6 of 10 (1114 views)
Permalink
Re: ACL Question [In reply to]
On 2009-11-19 at 00:14 -0500, Joe Doehler wrote:
> Phil Pennock wrote:
> > Sorry, my mistake (hastiness): match_domain is an expansion condition.
> > It needs to be after an if (or within the branches of and/or).
> >
> > condition = ${if match_domain{$sender_address_domain}{+local_domains}}

> I must say that the functions you are using are rather obscure, but your
> latest syntax seems to work. Thanks a lot.

Oh, right. This is an ACL, not a Router. So there's an easier way.
I'm sorry.

sender_domains = +local_domains

*sigh*
-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


john.horne at plymouth

Nov 19, 2009, 4:58 AM

Post #7 of 10 (1106 views)
Permalink
Re: ACL Question [In reply to]
On Wed, 2009-11-18 at 22:07 -0500, Joe Doehler wrote:
> I have been using Exim for 10+ years as a hobbyist, but I have never
> touched the ACL until this week: I have been doing all my filtering in
> "local_scan()". My first try at using the ACL does not work. Because all
> the outgoing mail from my domain originates from a local network, I am
> trying to deny mail with the following properties:
> - Source from public IP addresses
> - And return address that uses my domain name, that I consider spoofed.
>
> In the "acl_check_rcpt" section, I write:
> deny message = Some message
> domains = +local_domains
> hosts = !+relay_from_hosts
>
> What results from this is that all mail from public IP addresses is
> denied - not the intent. I am missing something elementary, but I do not
> know what it is. Help would be appreciated.
>
> If this helps, here is the list definition:
>
> domainlist local_domains = @ : localhost : mylastname.us :
> localhost.localdomain
> domainlist relay_to_domains =
> hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8
^^^^^^^^^^^^^

Minor point - shouldn't that be 192.168.0.0/16 or 192.168.1.0/24 or even
192.0.0.0/8.



John.

--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


awd-exim at awdcomp

Nov 19, 2009, 5:14 AM

Post #8 of 10 (1102 views)
Permalink
Re: ACL Question [In reply to]
John Horne wrote:
> On Wed, 2009-11-18 at 22:07 -0500, Joe Doehler wrote:
>> I have been using Exim for 10+ years as a hobbyist, but I have never
>> touched the ACL until this week: I have been doing all my filtering in
>> "local_scan()". My first try at using the ACL does not work. Because all
>> the outgoing mail from my domain originates from a local network, I am
>> trying to deny mail with the following properties:
>> - Source from public IP addresses
>> - And return address that uses my domain name, that I consider spoofed.
>>
>> In the "acl_check_rcpt" section, I write:
>> deny message = Some message
>> domains = +local_domains
>> hosts = !+relay_from_hosts
>>
>> What results from this is that all mail from public IP addresses is
>> denied - not the intent. I am missing something elementary, but I do not
>> know what it is. Help would be appreciated.
>>

You are not checking to see if your domain is being spoofed.


deny message = some message
domains = +local_domains
hosts = !+relay_from_hosts
condition = ${if {match_domain
{$sender_address_domain}{+local_domains} {true}{false}}


The above should do the job. (The condition line might appear to across
2 lines but it is actually one line)

>> If this helps, here is the list definition:
>>
>> domainlist local_domains = @ : localhost : mylastname.us :
>> localhost.localdomain
>> domainlist relay_to_domains =
>> hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/8
> ^^^^^^^^^^^^^
>
> Minor point - shouldn't that be 192.168.0.0/16 or 192.168.1.0/24 or even
> 192.0.0.0/8.
>

agreed


HTH
cya
Andrew

>
>
> John.
>


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


joe at doehler

Nov 19, 2009, 6:23 AM

Post #9 of 10 (1106 views)
Permalink
Re: ACL Question [In reply to]
Andrew wrote:

...
>> Minor point - shouldn't that be 192.168.0.0/16 or 192.168.1.0/24 or even
>> 192.0.0.0/8.
>>
>
> agreed
...

Thanks to all who have answered. The suggestions solved my problem. FYI,
this is a small network that's content with 256 IP addresses.

Joe.



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


bpaj at parrswood

Nov 19, 2009, 7:10 AM

Post #10 of 10 (1107 views)
Permalink
Re: ACL Question [In reply to]
On 19 Nov 2009, at 14:23, Joe Doehler <joe [at] doehler> wrote:

> Andrew wrote:
>
> ...
>>> Minor point - shouldn't that be 192.168.0.0/16 or 192.168.1.0/24
>>> or even
>>> 192.0.0.0/8.
>>>
>>
>> agreed
> ...
>
> Thanks to all who have answered. The suggestions solved my problem.
> FYI,
> this is a small network that's content with 256 IP addresses.
>
> Joe.
>
>

If it's supposed to be a 255.255.255.0, you want 192.168.1.0/24. /8 is
the same as 255.0.0.0, or 2^24-2 hosts.

Bryn


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.