Mailing List Archive

Hi Paul,

Paul Key via Exim-users <exim-users@exim.org> (Mi 19 Mai 2021 16:41:49 CEST):
> Hi,
>
> Using an acl_check_rcpt in exim.conf we are trying to both block and whitelist incoming email addresses in the same acl.
>
> Currently we have:
>
> deny message = $sender_host_address is listed in user blocking list
>
> condition = ${lookup {$sender_address}wildlsearch{/etc/exim/whitelist.senders} {no}{yes}}
> condition = ${lookup {$sender_address}wildlsearch{/etc/exim/blocking_list} {yes}{no}}
>
> in whitelist.senders we have an email address "example@example.cloud" which we want to allow through but in blocking_list we have an entry "*@*.cloud".
> So first we check the whitelist - which matches in the case of receiving an email from "example@example.cloud" but if no match then should move onto the blocking_list.

yes, and if there is a match, your lookup returns "no", which should
stop processing *this* ACL block

> However it looks like the acl is just evaluating the first condition and not processing the second condition whatever the condition result is.

How can you tell? Did you test debugging this? The simplest way is doing
something like

swaks -q rcpt -f example@example.cloud -t foo@example.com --pipe 'exim -bh 0.0.0.0'

> Is their syntax for an ACL something like:
> If <this condition> AND NOT <that condition>
>
> To provide one evaluation result for acl_check_rcpt searching both a blocking_list and a whitelist?

The expressions of a "block" are evaluated in order, *until* an
expression returns "false". If all expressions return true, the block's
verb is executed, otherwise ACL processing jumps to the next block.

Exceptions are
- the verb "require": if *all* expressions are true, the processing
continues with the next block, otherwise an error (e.g. 5xx) is
returned.
- the expression "endpass"


I used the following example config:

acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
deny
message = $sender_host_address is listed in user blocking list
condition = ${lookup {$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
condition = ${lookup {$sender_address}wildlsearch{$config_dir/blocking_list} {yes}{no}}

With these additional files:
# whitelist.senders
foo@example.com

# blocking_list
*@*.com

and ran the following command

swaks -f 'foo@example.com' -t bar@example.com --pipe 'exim -C /tmp/x.conf -bh 0.0.0.0' -q rcpt

which produced this output (as expected):

…
<- 250-SMTPUTF8
<- 250 HELP
-> MAIL FROM:<foo@example.com>
<- 250 OK
-> RCPT TO:<bar@example.com>
>>> using ACL "acl_check_rcpt"
>>> processing "deny" (/tmp/x.conf 6)
>>> message: $sender_host_address is listed in user blocking list
>>> foo@example.com in "foo@example.com"? yes (matched "foo@example.com")
>>> check condition = ${lookup {$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
>>> = no
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": implicit DENY
LOG: H=(x1.schlittermann.de) [0.0.0.0] F=<foo@example.com> rejected RCPT <bar@example.com>
<** 550 Administrative prohibition
-> QUIT
<- 221 x1 closing connection
=== Connection closed with child process.



Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -