The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using CIDR notation (i.e. /24) in Exim ACLs?

Discussion in 'General Discussion' started by sneader, Jan 4, 2007.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    In Exim, I am using various RBLs. Sometimes I have the need to whitelist a certain IP, because the RBL provider has added a server that I don't want to block.

    The Exim ACL looks like this:

    HOST_WHITELIST=/etc/exim/acls/whitelist_from
    hostlist white_list_from = net-lsearch;HOST_WHITELIST

    I have a list of IPs that I maintain at /etc/exim/acls/whitelist_from

    The current problem is that various yahoogroups.com servers keeps getting listed at CBL. It is really hard to keep up with the list of IPs.

    What I want to do is whitelist entire class C blocks of their servers, like:

    66.94.237.0 /24
    66.218.66.0 /24
    69.147.64.0 /24
    209.73.160.0 /24

    Currently I would have to list all 254 IPs in each of those blocks.

    In searching the Internet, I've found mention of replacing net-lsearch with net24-lsearch or net-iplsearch, but Exim barks at this when I try it.

    Can someone push me in the right direction?

    Thanks!

    - Scott
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    CIDR notation should work just fine. Is the space between the IP address and the CIDR as listed above a typo, or are you actually putting a space between them? If so, don't use a space ;)
     
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Hi Jonathan!

    With a list that looks like this:

    66.94.237.0 /24
    66.218.66.0 /24
    69.147.64.0 /24
    209.73.160.0 /24

    it does not work.

    If I put in specific IPs, like this:

    66.94.237.1
    66.94.237.2
    ...etc...
    66.94.237.254

    Then it works just fine.

    net-lsearch doesn't apparently work for CIDR addresses, or I'm doing something wrong. Here's the applicable config from exim.conf:

    HOST_WHITELIST=/etc/exim/acls/whitelist_from
    hostlist white_list_from = net-lsearch;HOST_WHITELIST

    (snip)

    begin acl

    (snip)

    # Accept mail from hosts in the White List
    accept hosts = +white_list_from

    (snip)


    With the above code, I can easily add whitelisted individual IPs, so they won't be blocked by a DNSBL (RBL) that I choose to override. But I cannot whitelist entire CIDR blocks.

    Any pointers would be GREATLY appreciated!!

    - Scott
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're still listing the IP's with spaces , have you tried:

    66.94.237.0/24
    66.218.66.0/24
    69.147.64.0/24
    209.73.160.0/24
     
  5. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks for the help, and sorry, I didn't make it clear that I wasn't using spaces in the real file. I was careless in my first posting and was just using some examples (I should have done a cut and paste from the actual file). My apologies. In real life, I have not tried it using spaces, always xxx.xxx.xxx.0/24

    For the test, I had a friend that is on a dynamic IP (who is on both the combined.njabl.org and sorbs dul lists) try to connect and deliver a message to the server.

    Let's say his IP is 207.123.45.6

    In my text file /etc/exim/acls/whitelist_from, at the top of the list, I put:

    207.123.45.0/24

    He was still blocked. Then I changed it to:

    207.123.45.6

    And it let him send the message (it whitelisted him).

    Any other ideas would be appreciated. Otherwise, I may try the exim list, or delve even further into the documentation (hasn't helped so far).

    Thanks again!

    - Scott
     
  6. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Well, after plowing through the Exim documentation and not finding any clues, I started searching Google some more and didn't find anything, then I searched the Exim mailing list archives and found this clue:

    "net-lsearch is for 'plain IP lookups' but not masked... What you are really wanting (for a MIX of masked ranges and single IPs) is the net-iplsearch lookup type:

    drop hosts = net-iplsearch;/path/to/ipnets.blacklist"


    So, I tried net-iplsearch and it still did not work. But... remember my ACL looks like this...

    HOST_WHITELIST=/etc/exim/acls/whitelist_from
    hostlist white_list_from = net-lsearch;HOST_WHITELIST

    # Accept mail from hosts in the White List
    accept hosts = +white_list_from


    So, I decided to cut out all these pointers, and just do it like this (similar to the Exim mailing list example above):

    # HOST_WHITELIST=/etc/exim/acls/whitelist_from (commented out)
    # hostlist white_list_from = net-lsearch;HOST_WHITELIST (commented out)

    # Accept mail from hosts in the White List
    accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from


    BINGO!!! It works like a champ!

    I never went back to see if the basic net-lsearch would have worked, without the pointers that I stopped using, but I'm just happy it's working!! Why ask why, right?

    - Scott
     
    #6 sneader, Jan 7, 2007
    Last edited: Jan 7, 2007
  7. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    where in the exim.conf did you insert the code :
    Code:
    # Accept mail from hosts in the White List
    accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from
    Mickalo
     
  8. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    This is placed near the top of the section called "begin acl". Here is the top of my "begin acl" section of exim:

    begin acl

    # This access control list is used for every RCPT command in an incoming
    # SMTP message. The tests are run in order until the address is either
    # accepted or denied.

    check_recipient:

    # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
    # testing for an empty sending host field.

    accept hosts = :

    # Accept anything from localhost, and especially mailman which
    # chokes badly if you refuse its mail

    accept hosts = 127.0.0.1/8

    # Accept mail from hosts in the White List
    # accept hosts = +white_list_from (previous way I was doing it)
    accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from

    # Deny if the local part contains . or @ or % or / or | or !. These are rarely
    (snip)
     
  9. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Ok, got it ... thx's :)

    so you found this to work with CIDR masking then ??

    Mickalo
     
  10. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Uh, yeah... that's the point of this whole thread. :)

    - Scott
     
  11. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello, I've tried this and didn't worked to me. I'm on a VPS with WHM 11.23.2 cPanel 11.23.6-S27698 and I need to block some large IP ranges in Exim.
    Is there any way to make it work?
     
  12. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    This is nearly a 2 year old thread.

    You should no longer edit exim.conf to perform these IP blocks or whitelists. You will do this from WHM > Exim Configuration Editor. Take a look at:

    Blacklist: Drop connections from defined IP Blocks upon SMTP connection [EDIT]

    Where it says "EDIT" you can add large blocks of IPs, if you wish.

    Per the instructions:

    Hosts cannot be used in this list (example: mx1.cpanel.net)
    Ips can be used in this list (example: 127.0.0.1)
    Ip Blocks can be used in this list (example: 192.168.0.1/24)

    So, CIDR addressing works just fine.

    - Scott
     
Loading...

Share This Page