Bug#387078: exim4-config: local_host_whitelist man page entries a bit confusing

Wed Sep 13 15:01:49 UTC 2006

On Tue, Sep 12, 2006 at 09:09:56AM -0700, Ross Boylan wrote:
> On Tue, Sep 12, 2006 at 09:39:08AM +0200, Marc Haber wrote:
> > On Mon, Sep 11, 2006 at 11:15:19PM -0700, Ross Boylan wrote:
> > > The man page describing local_host_whitelist could be a little clearer.
> > > 
> > > First, there is no subhead in the DESCRIPTION section for
> > > local_host_whitelist.
> > > 
> > > Second, the fact that this file was only mentioned under
> > > local_host_blacklist, along with the text "For convenience, as an
> > > additional method to whitelist addresses from being blocked,  an
> > > explicit  whitelist  is  read  in  from
> > > /etc/exim4/local_host_whitelist. Entries in the whitelist override
> > > corresponding blacklist entries. " supported the 2nd of 2
> > > interpretations:
> > > 1) if the sending host is on the whitelist, the message will be
> > > accepted.
> > > 2) if the sending host is on the blacklist and the whitelist, it will
> > > not be blocked because of the whitelist, but it might be blocked for
> > > other reasons.
> > > 
> > > I think, after looking at the code, that 1) is what is happening.
> > 
> > Right.
> 
> I don't seem to be getting the behavior of 1).
> /etc/exim4/local_host_whitelist
> 63.123.252.6
> 
> but I still get
> 2006-09-12 02:48:48 Direct remote connection from  63.123.252.6  claiming to be EXCHFR102.domain-01.com
> 2006-09-12 02:49:08 no IP address found for host EXCHFR102.domain-01.com (during SMTP connection from (EXCHFR102.domain-01.com) [63.123.252.6])
> 2006-09-12 02:49:48 63.123.252.6  pretending to be EXCHFR102.domain-01.com
> 2006-09-12 02:50:09 H=(EXCHFR102.domain-01.com) [63.123.252.6]
> F=<xxx at xxxxxxxxx> rejected RCPT <xxx at xxx>:

Can you use exim -bh 63.123.252.6 to find out why the rejection happens?

> I've customized my rules significantly, not only enabling the check of
> reverse DNS but plugging in some of my own ACL's or fragments.  I need
> to check exactly what's going on.  

exim -bh <ip-address> or exim -d -bh <ip-address> will be a big
helper. It expects you to simulate an SMTP session.

> > >   At the moment, it happens to be what I want (in particular, someone
> > >   is sending me mail from a machine without proper DNS entries).
> > > 
> > > So I think it would be good to give local_host_whitelist a separate
> > > entry, and to clarify if interpreation 1, 2, or something else is
> > > correct.
> > 
> > I agree. Can you give a text proposal or a patch for the man page?
> > 
> I can do that after I make sure I understand how it's working.  As I
> said, I suspect it's just some local stuff that is breaking the
> expected behavior.

I suspect that as well.

Whitelist honoring is configured inside each access list stanza.
Whenever you see something like "!acl = acl_whitelist_local_deny" in
an ACL stanza, the whitelist is honored for _this_ acl stanza only.
So, if it's one of your local rules that denies a whitelisted host,
you are probably not mentioning the white list in your local acl stanza.

Maybe it can help to take a look at the default configuration to find
out whether you have locally broken things or if our logic is at
fault. You can find the default configuration on Debian svn. We only
hold the split config in svn, though - refer to
http://svn.debian.org/wsvn/pkg-exim4/exim/trunk/debian/debconf/conf.d/?rev=0&sc=0.
The non-split config is built from the split config at package build
time.

Hope this helps.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835