Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Using CIDR notation (i.e. /24) in Exim ACLs?

Discussion in 'General Discussion' started by sneader, Jan 4, 2007.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    In Exim, I am using various RBLs. Sometimes I have the need to whitelist a certain IP, because the RBL provider has added a server that I don't want to block.

    The Exim ACL looks like this:

    HOST_WHITELIST=/etc/exim/acls/whitelist_from
    hostlist white_list_from = net-lsearch;HOST_WHITELIST

    I have a list of IPs that I maintain at /etc/exim/acls/whitelist_from

    The current problem is that various yahoogroups.com servers keeps getting listed at CBL. It is really hard to keep up with the list of IPs.

    What I want to do is whitelist entire class C blocks of their servers, like:

    66.94.237.0 /24
    66.218.66.0 /24
    69.147.64.0 /24
    209.73.160.0 /24

    Currently I would have to list all 254 IPs in each of those blocks.

    In searching the Internet, I've found mention of replacing net-lsearch with net24-lsearch or net-iplsearch, but Exim barks at this when I try it.

    Can someone push me in the right direction?

    Thanks!

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    CIDR notation should work just fine. Is the space between the IP address and the CIDR as listed above a typo, or are you actually putting a space between them? If so, don't use a space ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Hi Jonathan!

    With a list that looks like this:

    66.94.237.0 /24
    66.218.66.0 /24
    69.147.64.0 /24
    209.73.160.0 /24

    it does not work.

    If I put in specific IPs, like this:

    66.94.237.1
    66.94.237.2
    ...etc...
    66.94.237.254

    Then it works just fine.

    net-lsearch doesn't apparently work for CIDR addresses, or I'm doing something wrong. Here's the applicable config from exim.conf:

    HOST_WHITELIST=/etc/exim/acls/whitelist_from
    hostlist white_list_from = net-lsearch;HOST_WHITELIST

    (snip)

    begin acl

    (snip)

    # Accept mail from hosts in the White List
    accept hosts = +white_list_from

    (snip)


    With the above code, I can easily add whitelisted individual IPs, so they won't be blocked by a DNSBL (RBL) that I choose to override. But I cannot whitelist entire CIDR blocks.

    Any pointers would be GREATLY appreciated!!

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    You're still listing the IP's with spaces , have you tried:

    66.94.237.0/24
    66.218.66.0/24
    69.147.64.0/24
    209.73.160.0/24
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks for the help, and sorry, I didn't make it clear that I wasn't using spaces in the real file. I was careless in my first posting and was just using some examples (I should have done a cut and paste from the actual file). My apologies. In real life, I have not tried it using spaces, always xxx.xxx.xxx.0/24

    For the test, I had a friend that is on a dynamic IP (who is on both the combined.njabl.org and sorbs dul lists) try to connect and deliver a message to the server.

    Let's say his IP is 207.123.45.6

    In my text file /etc/exim/acls/whitelist_from, at the top of the list, I put:

    207.123.45.0/24

    He was still blocked. Then I changed it to:

    207.123.45.6

    And it let him send the message (it whitelisted him).

    Any other ideas would be appreciated. Otherwise, I may try the exim list, or delve even further into the documentation (hasn't helped so far).

    Thanks again!

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Well, after plowing through the Exim documentation and not finding any clues, I started searching Google some more and didn't find anything, then I searched the Exim mailing list archives and found this clue:

    "net-lsearch is for 'plain IP lookups' but not masked... What you are really wanting (for a MIX of masked ranges and single IPs) is the net-iplsearch lookup type:

    drop hosts = net-iplsearch;/path/to/ipnets.blacklist"


    So, I tried net-iplsearch and it still did not work. But... remember my ACL looks like this...

    HOST_WHITELIST=/etc/exim/acls/whitelist_from
    hostlist white_list_from = net-lsearch;HOST_WHITELIST

    # Accept mail from hosts in the White List
    accept hosts = +white_list_from


    So, I decided to cut out all these pointers, and just do it like this (similar to the Exim mailing list example above):

    # HOST_WHITELIST=/etc/exim/acls/whitelist_from (commented out)
    # hostlist white_list_from = net-lsearch;HOST_WHITELIST (commented out)

    # Accept mail from hosts in the White List
    accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from


    BINGO!!! It works like a champ!

    I never went back to see if the basic net-lsearch would have worked, without the pointers that I stopped using, but I'm just happy it's working!! Why ask why, right?

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 sneader, Jan 7, 2007
    Last edited: Jan 7, 2007
  7. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    782
    Likes Received:
    5
    Trophy Points:
    318
    Location:
    N.W. Iowa
    where in the exim.conf did you insert the code :
    Code:
    # Accept mail from hosts in the White List
    accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from
    Mickalo
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    This is placed near the top of the section called "begin acl". Here is the top of my "begin acl" section of exim:

    begin acl

    # This access control list is used for every RCPT command in an incoming
    # SMTP message. The tests are run in order until the address is either
    # accepted or denied.

    check_recipient:

    # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
    # testing for an empty sending host field.

    accept hosts = :

    # Accept anything from localhost, and especially mailman which
    # chokes badly if you refuse its mail

    accept hosts = 127.0.0.1/8

    # Accept mail from hosts in the White List
    # accept hosts = +white_list_from (previous way I was doing it)
    accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from

    # Deny if the local part contains . or @ or % or / or | or !. These are rarely
    (snip)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    782
    Likes Received:
    5
    Trophy Points:
    318
    Location:
    N.W. Iowa
    Ok, got it ... thx's :)

    so you found this to work with CIDR masking then ??

    Mickalo
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Uh, yeah... that's the point of this whole thread. :)

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,189
    Likes Received:
    8
    Trophy Points:
    168
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello, I've tried this and didn't worked to me. I'm on a VPS with WHM 11.23.2 cPanel 11.23.6-S27698 and I need to block some large IP ranges in Exim.
    Is there any way to make it work?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,157
    Likes Received:
    43
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    This is nearly a 2 year old thread.

    You should no longer edit exim.conf to perform these IP blocks or whitelists. You will do this from WHM > Exim Configuration Editor. Take a look at:

    Blacklist: Drop connections from defined IP Blocks upon SMTP connection [EDIT]

    Where it says "EDIT" you can add large blocks of IPs, if you wish.

    Per the instructions:

    Hosts cannot be used in this list (example: mx1.cpanel.net)
    Ips can be used in this list (example: 127.0.0.1)
    Ip Blocks can be used in this list (example: 192.168.0.1/24)

    So, CIDR addressing works just fine.

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice