Pkg exim4 users - May 2006 - ACL runs twice

Hi,

exim4-daemon-light | exim4-daemon-heavy

I have a split config and have added 
WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE =/etc/exim4/local-acl
to my local configuration file in /etc/exim4/conf.d/main.

The local-acl has the following acl in

  accept
    senders = ${if exists{/usr/local/mail/local_sender_whitelist}\
                   {/usr/local/mail/local_sender_whitelist}\
                   {}}


What I have noticed is that exim4 appears to be running this test 
twice on each incoming mail. This seems unnecessary. Is it by design? 
The output from exim4 -d+acl -bh is below. 

What''s more I want addresses in this white list to be accepted 
without further tests. I am not sure how to do this. Should I put 
another accept after the one above to end further testing once it has 
returned a match?

Also is it recommended to use the WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE 
marco? It seems to suggest it is.  And if so should I remove all the 
files in conf.d/acl/ and create a single acl file customised to my 
needs (SA-EXIM ...etc)?

Thanx.
Dp.

user@somedomain.com in ""? no (end of list)
accept: condition test failed
processing "accept"
check senders = ${if 
exists{/usr/local/mail/local_sender_whitelist}{/usr/local/mail/local_s
ender_whitelist}{}}
address match: subject=user@somedomain.com 
pattern=user@somedomain.com
somedomain.com in "somedomain.com"? yes (matched
"somedomain.com")
user@somedomain.com in "/usr/local/mail/local_sender_whitelist"? yes 
(matched "user@somedomain.com" in 
/usr/local/mail/local_sender_whitelist)
accept: condition test succeeded 	## Matched here
deny: condition test failed
processing "deny"
check !acl = acl_whitelist_local_deny
using ACL "acl_whitelist_local_deny"
processing "accept"
check hosts = ${if 
exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelis
t}{}}
host in ""? no (end of list)
accept: condition test failed
processing "accept"
check senders = ${if 
exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whit
elist}{}}
user@somedomain.com in ""? no (end of list)
accept: condition test failed
processing "accept"
check senders = ${if 
exists{/usr/local/mail/local_sender_whitelist}{/usr/local/mail/local_s
ender_whitelist}{}}
address match: subject=user@somedomain.com 
pattern=user@somedomain.com
accept: condition test succeeded		## Matched again here

On Tue, May 02, 2006 at 01:40:26PM +0100, Dermot Paikkos
wrote:
> exim4-daemon-light | exim4-daemon-heavy
> 
> I have a split config and have added 
> WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE =/etc/exim4/local-acl
> to my local configuration file in /etc/exim4/conf.d/main.
So you have added your local rule to the acl_whitelist_local_deny
which is being used multiple times as a sub-ACL in other ACLs.
> What I have noticed is that exim4 appears to be running this test 
> twice on each incoming mail. This seems unnecessary.
No, it is not.

If you look in acl/30_exim4-config_check_rcpt, you''ll see the
construct !acl = acl_whitelist_local_deny multiple times to exclude
whitelisted hosts and senders from multiple blacklist rules.
> Is it by design?
Yes, and a documented feature.
> What''s more I want addresses in this white list to be accepted 
> without further tests. I am not sure how to do this. Should I put 
> another accept after the one above to end further testing once it has 
> returned a match?
First, please consider whether what you intend to do is really what
you want to do. By accepting sender addresses without any further
test, you''ll make yourself an half-open relay since anybody who can
forge one of your valid senders can happily relay through your server.

Second, you want to modify acl_check_rcpt.
> Also is it recommended to use the WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE 
> marco?
If it were not recommended to be used, it wouldn''t be present. But it
looks like you have a misconception about the way our configuration
uses the ACLs.

I have not yet understood where the misconception is.
> And if so should I remove all the 
> files in conf.d/acl/ and create a single acl file customised to my 
> needs (SA-EXIM ...etc)?
That depends on what you intend to do.

If you want to ditch all of our ACLs, you could
main/02_exim4-config_options to your own lists and just leave our
files around to avoid questions being asked on upgade. Or you can
remove the files. Your choice.

Just be really really careful to not make yourself an open or
half-open relay.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On 2 May 2006 at 15:00, Marc Haber wrote:
> On Tue, May 02, 2006 at 01:40:26PM +0100, Dermot Paikkos wrote:
> > exim4-daemon-light | exim4-daemon-heavy
> > 
> > I have a split config and have added 
> > WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE =/etc/exim4/local-acl
> > to my local configuration file in /etc/exim4/conf.d/main.
> 
> So you have added your local rule to the acl_whitelist_local_deny
> which is being used multiple times as a sub-ACL in other ACLs.
Was it intended that WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE be a simple 
whitelist/black list and not a rule?

Thanx Dp.

On Tue, May 02, 2006 at 02:41:57PM +0100, Dermot Paikkos
wrote:
> On 2 May 2006 at 15:00, Marc Haber wrote:
> > On Tue, May 02, 2006 at 01:40:26PM +0100, Dermot Paikkos wrote:
> > > exim4-daemon-light | exim4-daemon-heavy
> > > 
> > > I have a split config and have added 
> > > WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE =/etc/exim4/local-acl
> > > to my local configuration file in /etc/exim4/conf.d/main.
> > 
> > So you have added your local rule to the acl_whitelist_local_deny
> > which is being used multiple times as a sub-ACL in other ACLs.
> 
> Was it intended that WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE be a simple 
> whitelist/black list and not a rule?
WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE is a hook to extend a sub-acl
which is being used to exempt certain messages from _all_ blacklisting
while keeping relay control in place.

Just try to understand the entire ACL mechanism, please, and don''t
tinker with it at a place which might be inappropriate. To me, this
thread makes make suspect that you just grepped for "whitelist" and
jumped on the first macro you found without getting a view of the
entire mechanisms.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On 2 May 2006 at 16:00, Marc Haber wrote:

 
> WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE is a hook to extend a sub-acl
> which is being used to exempt certain messages from _all_ blacklisting
> while keeping relay control in place.
Understood.
> Just try to understand the entire ACL mechanism, please, and don''t
> tinker with it at a place which might be inappropriate. To me, this
> thread makes make suspect that you just grepped for "whitelist"
and
> jumped on the first macro you found without getting a view of the
> entire mechanisms.
You might be correct. I was trying to honour the principle of not 
editing any of the files under ~/conf.d and keeping all my local 
settings in main/00_local_settings. 

When I saw this:
"This hook allows you to hook in your own ACLs without having to 
modify this file." It looked like what I wanted.

I need some way local users (without shell access) can add users to a 
white list. I thought a file outside the exim4 directory would be 
more secure than local_sender_whitelist as update would be via cgi.

Thanx.
Dp.

On Tue, May 02, 2006 at 03:29:45PM +0100, Dermot Paikkos
wrote:
> You might be correct. I was trying to honour the principle of not 
> editing any of the files under ~/conf.d and keeping all my local 
> settings in main/00_local_settings. 
Which is generally a good idea, but not possible for anything.
> I need some way local users (without shell access) can add users to a 
> white list. I thought a file outside the exim4 directory would be 
> more secure than local_sender_whitelist as update would be via cgi.
What exactly should this white list contain and which special
treatment should its contents get?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On 2 May 2006 at 16:32, Marc Haber wrote:
> What exactly should this white list contain and which special
> treatment should its contents get?
Nothing special. Just addresses in the format

EG: jo@somedomain.com

The blacklist would be handled by the admin.
Thanx.
Dp.

On Tue, May 02, 2006 at 03:47:34PM +0100, Dermot Paikkos
wrote:
> On 2 May 2006 at 16:32, Marc Haber wrote:
> > What exactly should this white list contain and which special
> > treatment should its contents get?
> 
> Nothing special. Just addresses in the format
> 
> EG: jo@somedomain.com
> 
> The blacklist would be handled by the admin.
Sounds like a valid use-case for the HOOK you used in the first place.
Is it not working?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On 2 May 2006 at 17:45, Marc Haber wrote:
> On Tue, May 02, 2006 at 03:47:34PM +0100, Dermot Paikkos wrote:
> > On 2 May 2006 at 16:32, Marc Haber wrote:
> > > What exactly should this white list contain and which special
> > > treatment should its contents get?
> > 
> > Nothing special. Just addresses in the format
> > 
> > EG: jo@somedomain.com
> > 
> > The blacklist would be handled by the admin.
> 
> Sounds like a valid use-case for the HOOK you used in the first place.
> Is it not working?
It works but as I said it appears to run twice. Sorry if the 
formating is out in this email. I put a ### one the places that the 
lookup occurs.

It finds user@somedomain from the file 
/usr/local/mail/local_sender_whitelist it then does the same lookup 
again at the end of the snip below.

My local acl (/etc/exim4/local-acl) had this one rule:

  accept
    senders = ${if exists{/usr/local/mail/local_sender_whitelist}\
                   {/usr/local/mail/local_sender_whitelist}\
                   {}}

So i wasn''t sure why the rule was being called twice. I was thinking 
that this was because the macro WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE 
was used by several other acls.

Should I just leave WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE alone and 
make local_host_whitelist writeable by the apache-userid or use 
suEXEC to setuid before writing to the list?

Thanx.
Dp.



==============...snip
user@somedomain.com in ""? no (end of list)
accept: condition test failed
processing "accept"
check senders = ${if 
exists{/usr/local/mail/local_sender_whitelist}{/usr/local/mail/local_s
ender_whitelist}{}} address match: subject=user@somedomain.com
pattern=user@somedomain.com somedomain.com in "somedomain.com"? yes
(matched "somedomain.com") user@somedomain.com in
"/usr/local/mail/local_sender_whitelist"? yes (matched
"user@somedomain.com" in /usr/local/mail/local_sender_whitelist) 
accept:
condition test succeeded 	### deny: condition test failed
processing "deny" check !acl = acl_whitelist_local_deny using ACL
"acl_whitelist_local_deny" processing "accept" check hosts =
${if
exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelis
t}{}} host in ""? no (end of list) accept: condition test failed
processing "accept" check senders = ${if
exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whit
elist}{}} user@somedomain.com in ""? no (end of list) accept: 
condition
test failed processing "accept" check senders = ${if
exists{/usr/local/mail/local_sender_whitelist}{/usr/local/mail/local_s
ender_whitelist}{}} address match: subject=user@somedomain.com
pattern=user@somedomain.com accept: condition test succeeded		###
 .....snip

On Tue, May 02, 2006 at 05:25:40PM +0100, Dermot Paikkos
wrote:
> It works but as I said it appears to run twice.
It runs once for each ACL stanza that invokes it as a sub-ACL.
Currently, it is used seven times, so I think that twice is rather few.
> So i wasn''t sure why the rule was being called twice. I was
thinking
> that this was because the macro WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE 
> was used by several other acls.
No, the acl_whitelist_local_deny ACL is called as a sub-ACL multiple
times.
> Should I just leave WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE alone and 
> make local_host_whitelist writeable by the apache-userid or use 
> suEXEC to setuid before writing to the list?
No.

What you''re doing seems like the right thing to me, but you''re
doing
it without understanding the mechanism.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835