Hi Paul,
Paul Key via Exim-users <exim-users@exim.org> (Mi 19 Mai 2021 16:41:49 CEST):
> Hi,
>
> Using an acl_check_rcpt in exim.conf we are trying to both block and
> whitelist incoming email addresses in the same acl.
>
> Currently we have:
>
> deny message = $sender_host_address is listed in user blocking list
>
> condition = ${lookup
> {$sender_address}wildlsearch{/etc/exim/whitelist.senders} {no}{yes}}
> condition = ${lookup {$sender_address}wildlsearch{/etc/exim/blocking_list}
> {yes}{no}}
>
> in whitelist.senders we have an email address "example@example.cloud" which
> we want to allow through but in blocking_list we have an entry "*@*.cloud".
> So first we check the whitelist - which matches in the case of receiving an
> email from "example@example.cloud" but if no match then should move onto the
> blocking_list.
yes, and if there is a match, your lookup returns "no", which should
stop processing *this* ACL block
> However it looks like the acl is just evaluating the first condition and not
> processing the second condition whatever the condition result is.
How can you tell? Did you test debugging this? The simplest way is doing
something like
swaks -q rcpt -f example@example.cloud -t f...@example.com --pipe 'exim
-bh 0.0.0.0'
> Is their syntax for an ACL something like:
> If <this condition> AND NOT <that condition>
>
> To provide one evaluation result for acl_check_rcpt searching both a
> blocking_list and a whitelist?
The expressions of a "block" are evaluated in order, *until* an
expression returns "false". If all expressions return true, the block's
verb is executed, otherwise ACL processing jumps to the next block.
Exceptions are
- the verb "require": if *all* expressions are true, the processing
continues with the next block, otherwise an error (e.g. 5xx) is
returned.
- the expression "endpass"
I used the following example config:
acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
deny
message = $sender_host_address is listed in user blocking list
condition = ${lookup
{$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
condition = ${lookup
{$sender_address}wildlsearch{$config_dir/blocking_list} {yes}{no}}
With these additional files:
# whitelist.senders
f...@example.com
# blocking_list
*@*.com
and ran the following command
swaks -f 'f...@example.com' -t b...@example.com --pipe 'exim -C
/tmp/x.conf -bh 0.0.0.0' -q rcpt
which produced this output (as expected):
…
<- 250-SMTPUTF8
<- 250 HELP
-> MAIL FROM:<f...@example.com>
<- 250 OK
-> RCPT TO:<b...@example.com>
>>> using ACL "acl_check_rcpt"
>>> processing "deny" (/tmp/x.conf 6)
>>> message: $sender_host_address is listed in user blocking list
>>> f...@example.com in "f...@example.com"? yes (matched "f...@example.com")
>>> check condition = ${lookup
{$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
>>> = no
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": implicit DENY
LOG: H=(x1.schlittermann.de) [0.0.0.0] F=<f...@example.com> rejected RCPT
<b...@example.com>
<** 550 Administrative prohibition
-> QUIT
<- 221 x1 closing connection
=== Connection closed with child process.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
signature.asc
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
