Bug#387078: exim4-config: local_host_whitelist man page entries a bit confusing

Ross Boylan ross at betterworld.us
Sat Sep 16 19:05:15 UTC 2006 

On Tue, Sep 12, 2006 at 09:09:56AM -0700, Ross Boylan wrote:
> On Tue, Sep 12, 2006 at 09:39:08AM +0200, Marc Haber wrote:
> > On Mon, Sep 11, 2006 at 11:15:19PM -0700, Ross Boylan wrote:
> > > The man page describing local_host_whitelist could be a little clearer.
> > > 
> > > First, there is no subhead in the DESCRIPTION section for
> > > local_host_whitelist.
> > > 
> > > Second, the fact that this file was only mentioned under
> > > local_host_blacklist, along with the text "For convenience, as an
> > > additional method to whitelist addresses from being blocked,  an
> > > explicit  whitelist  is  read  in  from
> > > /etc/exim4/local_host_whitelist. Entries in the whitelist override
> > > corresponding blacklist entries. " supported the 2nd of 2
> > > interpretations:
> > > 1) if the sending host is on the whitelist, the message will be
> > > accepted.
> > > 2) if the sending host is on the blacklist and the whitelist, it will
> > > not be blocked because of the whitelist, but it might be blocked for
> > > other reasons.
> > > 
> > > I think, after looking at the code, that 1) is what is happening.
> > 
> > Right.
> 
> I don't seem to be getting the behavior of 1).
> /etc/exim4/local_host_whitelist
> 63.123.252.6
> 
> but I still get
> 2006-09-12 02:48:48 Direct remote connection from  63.123.252.6  claiming to be EXCHFR102.domain-01.com
> 2006-09-12 02:49:08 no IP address found for host EXCHFR102.domain-01.com (during SMTP connection from (EXCHFR102.domain-01.com) [63.123.252.6])
> 2006-09-12 02:49:48 63.123.252.6  pretending to be EXCHFR102.domain-01.com
> 2006-09-12 02:50:09 H=(EXCHFR102.domain-01.com) [63.123.252.6]
> F=<xxx at xxxxxxxxx> rejected RCPT <xxx at xxx>:
> 
> [edresses obscured].
> I did an invoke-rc.d exim4 reload before this (though I  don't think
> that should have been necessary).
> 
> I've customized my rules significantly, not only enabling the check of
> reverse DNS but plugging in some of my own ACL's or fragments.  I need
> to check exactly what's going on.  

What's going on is that I have customized things sufficiently that the
rule is not being invoked.

> 
> > 
> > >   At the moment, it happens to be what I want (in particular, someone
> > >   is sending me mail from a machine without proper DNS entries).
> > > 
> > > So I think it would be good to give local_host_whitelist a separate
> > > entry, and to clarify if interpreation 1, 2, or something else is
> > > correct.
> > 
> > I agree. Can you give a text proposal or a patch for the man page?
> > 
> I can do that after I make sure I understand how it's working.  As I
> said, I suspect it's just some local stuff that is breaking the
> expected behavior.

Now, on the understanding front, I'm still a bit puzzled.  If the
behavior were 1), I would expect the (Debian default) ACL's to have an
accept if whitelisted early on.  Instead, there are a whole bunch of
tests with
    !acl = acl_whitelist_local_deny
to skip them.  I also am puzzled about the _deny at the end, though I
guess they are being used (as above) to deny certain rules.

There are also tests (e.g., 30_exim4_config_check_mail) that do not
use acl_whitelist_local_deny.

Ross

More information about the Pkg-exim4-maintainers mailing list