[Pkg-exim4-users] ACL runs twice

Marc Haber mh+pkg-exim4-users at zugschlus.de
Tue May 2 13:00:36 UTC 2006 

On Tue, May 02, 2006 at 01:40:26PM +0100, Dermot Paikkos wrote:
> exim4-daemon-light | exim4-daemon-heavy
> 
> I have a split config and have added 
> WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE =/etc/exim4/local-acl
> to my local configuration file in /etc/exim4/conf.d/main.

So you have added your local rule to the acl_whitelist_local_deny
which is being used multiple times as a sub-ACL in other ACLs.

> What I have noticed is that exim4 appears to be running this test 
> twice on each incoming mail. This seems unnecessary.

No, it is not.

If you look in acl/30_exim4-config_check_rcpt, you'll see the
construct !acl = acl_whitelist_local_deny multiple times to exclude
whitelisted hosts and senders from multiple blacklist rules.

> Is it by design?

Yes, and a documented feature.

> What's more I want addresses in this white list to be accepted 
> without further tests. I am not sure how to do this. Should I put 
> another accept after the one above to end further testing once it has 
> returned a match?

First, please consider whether what you intend to do is really what
you want to do. By accepting sender addresses without any further
test, you'll make yourself an half-open relay since anybody who can
forge one of your valid senders can happily relay through your server.

Second, you want to modify acl_check_rcpt.

> Also is it recommended to use the WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE 
> marco?

If it were not recommended to be used, it wouldn't be present. But it
looks like you have a misconception about the way our configuration
uses the ACLs.

I have not yet understood where the misconception is.

> And if so should I remove all the 
> files in conf.d/acl/ and create a single acl file customised to my 
> needs (SA-EXIM ...etc)?

That depends on what you intend to do.

If you want to ditch all of our ACLs, you could
main/02_exim4-config_options to your own lists and just leave our
files around to avoid questions being asked on upgade. Or you can
remove the files. Your choice.

Just be really really careful to not make yourself an open or
half-open relay.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-users mailing list