[Pkg-exim4-users] Help with a deny IP list?

Aileen Carlstrom acarls at zcorum.com
Mon Mar 30 20:42:48 UTC 2009 

This (exim -bhc 1.2.3.4) proved very useful!  Thank you, and it leads to a
followup.  When I ran it with my current config, I saw that the local_host_blacklist
was not being evaluated at all.  I added a section for it to 
/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions and updated my
config.  Voila, it is now being evaluated, but the relay_allow seems to be 
overriding the blacklist.  Is that just how it is, or is there a order to 
evaluate the conditions which results in an IP that is part of relay_allow
AND the blacklist being blocked?  (In other words, I'd like the local blacklist
to take precedence over the relay_allow)

I am not testing from localhost, I'm coming from my own workstation.  Desired End 
result - if I get a naughty local user, I want to toss him into the blacklist file
until such time as we can get him/his machine to not be naughty.  I can do this with
my old ancient monolithic config, but I want to move forward using The Debian Way.

here is the relevant bit of the results from exim -bhc:

>>> processing "deny"
>>> check hosts = ${if exists{/etc/exim4/local_host_blacklist}{/etc/exim4/local_host_blacklist}{}}
>>> host in "/etc/exim4/local_host_blacklist"? yes (matched "my.ip" in /etc/exim4/local_host_blacklist)
>>> deny: condition test succeeded
>>> check senders = ${if exists{/etc/exim4/local_sender_callout}{/etc/exim4/local_sender_callout}{}}
>>> acarls at zcorum.com in ""? no (end of list)
>>> deny: condition test failed
>>> processing "accept"
>>> check hosts = +relay_from_hosts
>>> host in "/etc/exim4/relay_allow : 127.0.0.1 : ::::1"? yes (matched "my.ip.block" in /etc/exim4/relay_allow)
>>> host in "+relay_from_hosts"? yes (matched "+relay_from_hosts")
>>> check control = submission/sender_retain
>>> accept: condition test succeeded
250 Accepted
quit
221 qsmtp8 closing connection

Thanks again,

Aileen Carlstrom

> Message: 2
> Date: Sun, 29 Mar 2009 13:14:19 +0200
> From: Christian Schmidt <christian at siebenbergen.de>
> Subject: Re: [Pkg-exim4-users] Help with a deny IP list?
> To: pkg-exim4-users at lists.alioth.debian.org
> Message-ID: <20090329111419.GB24181 at chemie.uni-hamburg.de>
> Content-Type: text/plain; charset=us-ascii
> 
> Hello Andreas,
> 
> Andreas Metzler, 29.03.2009 (d.m.y):
> 
> > Aileen Carlstrom <acarls at zcorum.com> wrote:
> > > Reading the documentation leads me to believe that all I *should* have
> > > to do is create a file named local_host_blacklist in the /etc/exim4
> > > folder and populate it with the IPs I wish to be banned.  Done and Done,
> > > and yet when I run update-exim4.conf (not sure I even need to do that,
> > > but it seems like it would not hurt) and restart the daemon,
> > 
> > both not necessary. ;-)
> > 
> > >  my IP, which I put in the blacklist file, can still send just fine.
> > [...]
> > 
> > 
> > In the acl evaluating the host-blacklist happens after accepting all
> > mail from +relay_from_hosts. The local host is usually included in
> > this hostlist and therefore bypasses the check for the blacklist.
> > 
> > You'll need to use a remote testing host.
> 
> What about running 'exim -bhc 1.2.3.4' (where 1.2.3.4 is the IP
> address of interest)?
> 
> Regards,
> Christian
> 
> -- 
> When one burns one's bridges, what a very nice fire it makes.
>                 -- Dylan Thomas

More information about the Pkg-exim4-users mailing list