Quoting Moritz Wilhelmy (from 14/02/11 11:03): >> Not a good idea to change Exim like that. > Actually, I believe it doesn't require to "change" the exim code for that. You > just need to append to a file, which I believe, exim already supports. Exim
Yes, it's called logging, and Exim already does this. > already knows where the relay attempt came from, and tcp_wrappers support > include-directives (according to hosts_access(5), it can include files), so > including a /var/run/exim/hosts.deny from within the global config would be > possible as well, if you don't want to give exim write permissions on the > global tcp_wrapper configuration file(s). You don't want to give Exim or any other system daemon file access permissions to anything beyond the strict minimum required to do its job. > Any objections? Loads :-) Linux is not the only platform, tcp_wrappers is not the only host firewall, many networks have edge defences a long way away from their accessible hosts. Standard logging is sufficient. And making host-level security decisions isn't the job of an MTA. > Can't tell anything about fail2ban, but why run another daemon if exim is > sufficient? Especially denyhosts (which I run) is very resource hungry in my > experience. There's no need for logging and log analysis to be running on the same host as your MTA, if you have resource issues. I just think you're overcomplicating things. Exim is an MTA, it already logs all the data you need to make firewall changes, there's no point in asking it to do something distro/task-specific. -jim -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
