Hill Ruyter wrote:
Thanks Bill
Concise, informative and thorough as usual.
I really wish I could get my head round the ACLs as you suggest since all
my users do connect on 587 and do use TLS and do authenticate and ar just
family and friends so are no problem to manage (from and MUA perspective)
so everything else is subject to disdain, mistrust and general contempt.
But, alas and alack I am yet to get my brain around doing all the clever
things often referred to in here and the Debian-ness of my server it seems
makes me a bit of a black sheep when it comes to what to do configuration
wise.
Thanks again everyone for their help though in getting me up and running
again
Yours
Hill
*snip** ( my thorough? Maybe. But anything BUT 'concise' post..)
W/r the acl's. Study Forth - they look and work just like a 'case of..'
;-)
...more seriously ...
One of the best friends you can have for clarity, simplicity, and
readability, is the NOT'ed or inverted '!condition ='
- as samll individual bites, they can exit earlier than complex
monoliths, and in predictable and easily re-ordered sequence.
- they can readily be *stacked* instead of nested, making #commenting
them in or out of the chain SO much simpler than revising complex nested
conditionals and test, test, test....
An example - rDNS check with multiple prior exemptions in descending
order of their likelihood:
====
deny
!condition = ${if eq{$interface_port}{587}}
# bails immediately for our own (probable) submission Lusers [1]
!hosts = : +relay_from_hosts
# and/or skip check of cron reports from boxen with no <domain>.<tld>
!condition = ${lookup{$sender_address}lsearch{/path/VIP-pass}}
# skips whitelisted MTA we forgive despite rDNS fail
!verify = reverse_host_lookup
# 'NOT' meaning trigger the deny if verification *fails*
====
HTH,
Bill
[1] a positive conditional also works in this stack position, as in;
condition = ${if eq{$interface_port}{25}}
Which excludes 587, 465, and *other* custom Luser-submission ports used
to get around firewalls. If any.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
