Bug#376459: exim4-config: issues with ACL documentation
On Mon, Jul 03, 2006 at 08:04:22AM -0700, Ross Boylan wrote: How about Local configuration of the mechanisms happens through data files in /etc/exim4 or via exim macros that you can set in /etc/exim4/conf.d/main. You can create files with your own rules to add to the existing ones and point to them by setting CHECK_RCPT_LOCAL_ACL_FILE and CHECK_DATA_LOCAL_ACL_FILE, so there is normally no need to change the files in the acl subdirectory in a split-config setup. ? I have two things that make me not like this. (1) Mentioning the explicit macro names will lead to people setting them without knowing what they do and without reading the (important!) context the macros are used in our configuration. I'd rather have people look at the configuration itself, understand it, and see which methods of modification we offer. (2) Duplicating the macro names in the docs will lead to errors should we decide to change the names in the future. I still don't see the advantage of your wording over the existing wording. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376459: exim4-config: issues with ACL documentation
On Mon, Jul 03, 2006 at 10:02:39PM -0700, Ross Boylan wrote: wheat:/etc/exim4# find . -type f -exec grep -H default_acl \{\} \; ./conf.d/acl/30_exim4-config_check_rcpt: # the black list. See /usr/share/doc/exim4-config/default_acl for details. ./conf.d/acl/30_exim4-config_check_rcpt: # the black list. See /usr/share/doc/exim4-config/default_acl for details. ./conf.d/acl/20_exim4-config_whitelist_local_deny:# black list. See /usr/share/doc/exim4-config/default_acl for details. ./exim4.conf.template:# black list. See /usr/share/doc/exim4-config/default_acl for details. ./exim4.conf.template: # the black list. See /usr/share/doc/exim4-config/default_acl for details. ./exim4.conf.template: # the black list. See /usr/share/doc/exim4-config/default_acl for details. I did the same check the day before yesterday and fixed these occurrences in svn. exim4.conf.template is built at build time from conf.d, so it is ok to only fix conf.d in the source package. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376459: exim4-config: issues with ACL documentation
clone 376459 -1 reassign -1 tkman retitle -1 tkman: displays exim4-config_files(5) strangely thanks On Sun, Jul 02, 2006 at 10:18:55PM -0700, Ross Boylan wrote: 4. There is an oddity in the exim4-config_files man page when viewed with tkman. man in terminal looks OK. In case there is something on the page that is inspiring this weird behavior, I'm reporting it. Here's what I see when I expand the subitem under description -- /etc/exim4/local_host_blacklist is an optional file containing a list of IP addresses, networks and host names whose messages will be denied with the error message locally blacklisted. This is a full exim 4 host list, and all avail- able features can be used. This includes negative items, and so it is possible to exclude addresses from being blacklisted. For convenience, as an additional method to whitelist addresses from being blocked, an explicit whitelist is read in from /etc/exim4/local_host_whitelist. Entries in the whitelist override corresponding blacklist entries. In the blacklist, the trick is to read a line break as or if it fol- lows a positive item, and as and if it follows a negative item. For example, a /etc/exim4/local_host_blacklist 192.168.10.0/24 !172.16.10.128/26 172.16.10.0/24 10.0.0.0/8 Exim just evaluates left to right (or up-down in the file listing con- text), so you don't get the same kind of operator binding as in a pro- gramming language. XX will be accepted despite the address is also listed in /etc/exim4/local_host_blacklist, overriding a blacklisting. /etc/exim4/local_sender_blacklist is an optional files containing a list of envelope senders whose mes- - The section with XXX has missing material on local_host_whitelist. If I hit enter (which tells tkman to expand and move on) the missing text reappears. I may be misunderstanding tkman, or it may be strictly a tkman bug. But if there's a way to prevent it from the man page itself, that would be a plus. tkman maintainers, please investigate and advise whether my man page is faulty or your package buggy. I'd appreciate a workaround which might be possible in the exim4-config_files(5) man page. Link to the man page in exim4 svn: http://svn.debian.org/wsvn/pkg-exim4/exim/trunk/debian/manpages/exim4-config_files.5?op=filerev=0sc=0 Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376459: exim4-config: issues with ACL documentation
On Sun, Jul 02, 2006 at 10:18:55PM -0700, Ross Boylan wrote: The recent cleanup of the documentation seems to have left some loose ends. 1. acl/20_exim4-config_whitelist_local_deny includes # Whitelisting can also be configured by including negative items in the # black list. See /usr/share/doc/exim4-config/default_acl for details. ^^^ The indicatedfile doesn't exist; I think it was merged into README.Debian, though I don't see stuff in there that bears directly on this issue there now. The information was moved into exim4-config_files(5), and I have changed the file appropriately. 2. README.Debian section 2.1.2 (on ACLs) says The access list file also contains quite a few configuration options that are too restrictive to be active by default on a real-life site. It is unclear, at least to me, what file the access list file refers to. My guess is it means either all the acl files or the check_rcpt one. I have changed the text to say The access lists delivered with the exim4 packages. 3. It might be helpful for README.Debian to mention the possibility of customizing the ACLs via, e.g., CHECK_RCPT_LOCAL_ACL_FILE. And/or something about this could go in the exim4-config_files man page, though that's tricky since the user makes up the file name and location. The paragraph about Access Control in the default configuration says that the mechanisms can be configured locally with exim macros. I think that's enough, since people using these configuration mechanisms need to understand our ACLs first before they can successfully modify them. 4. There is an oddity in the exim4-config_files man page when viewed with tkman. man in terminal looks OK. In case there is something on the page that is inspiring this weird behavior, I'm reporting it. Here's what I see when I expand the subitem under description -- /etc/exim4/local_host_blacklist is an optional file containing a list of IP addresses, networks and host names whose messages will be denied with the error message locally blacklisted. This is a full exim 4 host list, and all avail- able features can be used. This includes negative items, and so it is possible to exclude addresses from being blacklisted. For convenience, as an additional method to whitelist addresses from being blocked, an explicit whitelist is read in from /etc/exim4/local_host_whitelist. Entries in the whitelist override corresponding blacklist entries. In the blacklist, the trick is to read a line break as or if it fol- lows a positive item, and as and if it follows a negative item. For example, a /etc/exim4/local_host_blacklist 192.168.10.0/24 !172.16.10.128/26 172.16.10.0/24 10.0.0.0/8 Exim just evaluates left to right (or up-down in the file listing con- text), so you don't get the same kind of operator binding as in a pro- gramming language. XX will be accepted despite the address is also listed in /etc/exim4/local_host_blacklist, overriding a blacklisting. /etc/exim4/local_sender_blacklist is an optional files containing a list of envelope senders whose mes- - The section with XXX has missing material on local_host_whitelist. If I hit enter (which tells tkman to expand and move on) the missing text reappears. I may be misunderstanding tkman, or it may be strictly a tkman bug. I'd say this is a tkman bug, I'll clone and reassign. But if there's a way to prevent it from the man page itself, that would be a plus. As soon as somebody tells me how to do this, it's a pleasure to do. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376459: exim4-config: issues with ACL documentation
On Mon, Jul 03, 2006 at 07:52:45AM +0200, Marc Haber wrote: On Sun, Jul 02, 2006 at 10:18:55PM -0700, Ross Boylan wrote: ... 3. It might be helpful for README.Debian to mention the possibility of customizing the ACLs via, e.g., CHECK_RCPT_LOCAL_ACL_FILE. And/or something about this could go in the exim4-config_files man page, though that's tricky since the user makes up the file name and location. The paragraph about Access Control in the default configuration says that the mechanisms can be configured locally with exim macros. I think that's enough, since people using these configuration mechanisms need to understand our ACLs first before they can successfully modify them. That section says Local configuration of the mechanisms happens through data files in /etc/exim4 or via exim macros that you can set in /etc/exim4/conf.d/main, so there is normally no need to change the files in the acl subdirectory in a split-config setup. and a bit later The access list file also contains quite a few configuration options that are too restrictive to be active by default on a real-life site. These are masked by .ifdef statements, can be activated by setting the appropriate macros, and are documented in the ACL file itself. The reference to data files would lead someone to look at exim4-config_files (which doesn't mention adding your own rules), and the discussion of macros could easily lead someone to the conclusion don't use them. The text also says there is normally no need to change the files in the ACL directory. So I think it would be very easy to miss this customization option. How about Local configuration of the mechanisms happens through data files in /etc/exim4 or via exim macros that you can set in /etc/exim4/conf.d/main. You can create files with your own rules to add to the existing ones and point to them by setting CHECK_RCPT_LOCAL_ACL_FILE and CHECK_DATA_LOCAL_ACL_FILE, so there is normally no need to change the files in the acl subdirectory in a split-config setup. ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376459: exim4-config: issues with ACL documentation
I noticed one more: 30_exim4-config_check_rcpt: # The explicit white lists are honored as well as negative items in # the black list. See /usr/share/doc/exim4-config/default_acl for details. that's toward the bottom Which inspired this check: wheat:/etc/exim4# find . -type f -exec grep -H default_acl \{\} \; ./conf.d/acl/30_exim4-config_check_rcpt: # the black list. See /usr/share/doc/exim4-config/default_acl for details. ./conf.d/acl/30_exim4-config_check_rcpt: # the black list. See /usr/share/doc/exim4-config/default_acl for details. ./conf.d/acl/20_exim4-config_whitelist_local_deny:# black list. See /usr/share/doc/exim4-config/default_acl for details. ./exim4.conf.template:# black list. See /usr/share/doc/exim4-config/default_acl for details. ./exim4.conf.template: # the black list. See /usr/share/doc/exim4-config/default_acl for details. ./exim4.conf.template: # the black list. See /usr/share/doc/exim4-config/default_acl for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#376459: exim4-config: issues with ACL documentation
Package: exim4-config Version: 4.62-2 Severity: minor The recent cleanup of the documentation seems to have left some loose ends. 1. acl/20_exim4-config_whitelist_local_deny includes # Whitelisting can also be configured by including negative items in the # black list. See /usr/share/doc/exim4-config/default_acl for details. ^^^ The indicatedfile doesn't exist; I think it was merged into README.Debian, though I don't see stuff in there that bears directly on this issue there now. 2. README.Debian section 2.1.2 (on ACLs) says The access list file also contains quite a few configuration options that are too restrictive to be active by default on a real-life site. It is unclear, at least to me, what file the access list file refers to. My guess is it means either all the acl files or the check_rcpt one. 3. It might be helpful for README.Debian to mention the possibility of customizing the ACLs via, e.g., CHECK_RCPT_LOCAL_ACL_FILE. And/or something about this could go in the exim4-config_files man page, though that's tricky since the user makes up the file name and location. 4. There is an oddity in the exim4-config_files man page when viewed with tkman. man in terminal looks OK. In case there is something on the page that is inspiring this weird behavior, I'm reporting it. Here's what I see when I expand the subitem under description -- /etc/exim4/local_host_blacklist is an optional file containing a list of IP addresses, networks and host names whose messages will be denied with the error message locally blacklisted. This is a full exim 4 host list, and all avail- able features can be used. This includes negative items, and so it is possible to exclude addresses from being blacklisted. For convenience, as an additional method to whitelist addresses from being blocked, an explicit whitelist is read in from /etc/exim4/local_host_whitelist. Entries in the whitelist override corresponding blacklist entries. In the blacklist, the trick is to read a line break as or if it fol- lows a positive item, and as and if it follows a negative item. For example, a /etc/exim4/local_host_blacklist 192.168.10.0/24 !172.16.10.128/26 172.16.10.0/24 10.0.0.0/8 Exim just evaluates left to right (or up-down in the file listing con- text), so you don't get the same kind of operator binding as in a pro- gramming language. XX will be accepted despite the address is also listed in /etc/exim4/local_host_blacklist, overriding a blacklisting. /etc/exim4/local_sender_blacklist is an optional files containing a list of envelope senders whose mes- - The section with XXX has missing material on local_host_whitelist. If I hit enter (which tells tkman to expand and move on) the missing text reappears. I may be misunderstanding tkman, or it may be strictly a tkman bug. But if there's a way to prevent it from the man page itself, that would be a plus. -- Package-specific info: Exim version 4.62 #1 built 02-May-2006 11:54:25 Copyright (c) University of Cambridge 2006 Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 6, 2005) Support for: crypteq iconv() IPv6 PAM Perl GnuTLS move_frozen_messages Content_Scanning Old_Demime Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql Authenticators: cram_md5 cyrus_sasl plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27advncdfs Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages exim4-config depends on: ii adduser 3.87 Add and remove users and groups ii debconf [debconf-2.0] 1.5.2 Debian configuration management sy exim4-config recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]