Using CIDR notation (i.e. /24) in Exim ACLs?

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
In Exim, I am using various RBLs. Sometimes I have the need to whitelist a certain IP, because the RBL provider has added a server that I don't want to block.

The Exim ACL looks like this:

HOST_WHITELIST=/etc/exim/acls/whitelist_from
hostlist white_list_from = net-lsearch;HOST_WHITELIST

I have a list of IPs that I maintain at /etc/exim/acls/whitelist_from

The current problem is that various yahoogroups.com servers keeps getting listed at CBL. It is really hard to keep up with the list of IPs.

What I want to do is whitelist entire class C blocks of their servers, like:

66.94.237.0 /24
66.218.66.0 /24
69.147.64.0 /24
209.73.160.0 /24

Currently I would have to list all 254 IPs in each of those blocks.

In searching the Internet, I've found mention of replacing net-lsearch with net24-lsearch or net-iplsearch, but Exim barks at this when I try it.

Can someone push me in the right direction?

Thanks!

- Scott
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
CIDR notation should work just fine. Is the space between the IP address and the CIDR as listed above a typo, or are you actually putting a space between them? If so, don't use a space ;)
 

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
Hi Jonathan!

With a list that looks like this:

66.94.237.0 /24
66.218.66.0 /24
69.147.64.0 /24
209.73.160.0 /24

it does not work.

If I put in specific IPs, like this:

66.94.237.1
66.94.237.2
...etc...
66.94.237.254

Then it works just fine.

net-lsearch doesn't apparently work for CIDR addresses, or I'm doing something wrong. Here's the applicable config from exim.conf:

HOST_WHITELIST=/etc/exim/acls/whitelist_from
hostlist white_list_from = net-lsearch;HOST_WHITELIST

(snip)

begin acl

(snip)

# Accept mail from hosts in the White List
accept hosts = +white_list_from

(snip)


With the above code, I can easily add whitelisted individual IPs, so they won't be blocked by a DNSBL (RBL) that I choose to override. But I cannot whitelist entire CIDR blocks.

Any pointers would be GREATLY appreciated!!

- Scott
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
You're still listing the IP's with spaces , have you tried:

66.94.237.0/24
66.218.66.0/24
69.147.64.0/24
209.73.160.0/24
 

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
Thanks for the help, and sorry, I didn't make it clear that I wasn't using spaces in the real file. I was careless in my first posting and was just using some examples (I should have done a cut and paste from the actual file). My apologies. In real life, I have not tried it using spaces, always xxx.xxx.xxx.0/24

For the test, I had a friend that is on a dynamic IP (who is on both the combined.njabl.org and sorbs dul lists) try to connect and deliver a message to the server.

Let's say his IP is 207.123.45.6

In my text file /etc/exim/acls/whitelist_from, at the top of the list, I put:

207.123.45.0/24

He was still blocked. Then I changed it to:

207.123.45.6

And it let him send the message (it whitelisted him).

Any other ideas would be appreciated. Otherwise, I may try the exim list, or delve even further into the documentation (hasn't helped so far).

Thanks again!

- Scott
 

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
Well, after plowing through the Exim documentation and not finding any clues, I started searching Google some more and didn't find anything, then I searched the Exim mailing list archives and found this clue:

"net-lsearch is for 'plain IP lookups' but not masked... What you are really wanting (for a MIX of masked ranges and single IPs) is the net-iplsearch lookup type:

drop hosts = net-iplsearch;/path/to/ipnets.blacklist"


So, I tried net-iplsearch and it still did not work. But... remember my ACL looks like this...

HOST_WHITELIST=/etc/exim/acls/whitelist_from
hostlist white_list_from = net-lsearch;HOST_WHITELIST

# Accept mail from hosts in the White List
accept hosts = +white_list_from


So, I decided to cut out all these pointers, and just do it like this (similar to the Exim mailing list example above):

# HOST_WHITELIST=/etc/exim/acls/whitelist_from (commented out)
# hostlist white_list_from = net-lsearch;HOST_WHITELIST (commented out)

# Accept mail from hosts in the White List
accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from


BINGO!!! It works like a champ!

I never went back to see if the basic net-lsearch would have worked, without the pointers that I stopped using, but I'm just happy it's working!! Why ask why, right?

- Scott
 
Last edited:

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
Well, after plowing through the Exim documentation and not finding any clues, I started searching Google some more and didn't find anything, then I searched the Exim mailing list archives and found this clue:

"net-lsearch is for 'plain IP lookups' but not masked... What you are really wanting (for a MIX of masked ranges and single IPs) is the net-iplsearch lookup type:

drop hosts = net-iplsearch;/path/to/ipnets.blacklist"


So, I tried net-iplsearch and it still did not work. But... remember my ACL looks like this...

HOST_WHITELIST=/etc/exim/acls/whitelist_from
hostlist white_list_from = net-lsearch;HOST_WHITELIST

# Accept mail from hosts in the White List
accept hosts = +white_list_from


So, I decided to cut out all these pointers, and just do it like this (similar to the Exim mailing list example above):

# HOST_WHITELIST=/etc/exim/acls/whitelist_from (commented out)
# hostlist white_list_from = net-lsearch;HOST_WHITELIST (commented out)

# Accept mail from hosts in the White List
accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from


BINGO!!! It works like a champ!

I never went back to see if the basic net-lsearch would have worked, without the pointers that I stopped using, but I'm just happy it's working!! Why ask why, right?

- Scott
where in the exim.conf did you insert the code :
Code:
# Accept mail from hosts in the White List
accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from
Mickalo
 

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
where in the exim.conf did you insert the code :
Code:
# Accept mail from hosts in the White List
accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from
Mickalo
This is placed near the top of the section called "begin acl". Here is the top of my "begin acl" section of exim:

begin acl

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

check_recipient:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :

# Accept anything from localhost, and especially mailman which
# chokes badly if you refuse its mail

accept hosts = 127.0.0.1/8

# Accept mail from hosts in the White List
# accept hosts = +white_list_from (previous way I was doing it)
accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from

# Deny if the local part contains . or @ or % or / or | or !. These are rarely
(snip)
 

mickalo

Well-Known Member
Apr 16, 2002
782
5
318
N.W. Iowa
This is placed near the top of the section called "begin acl". Here is the top of my "begin acl" section of exim:

begin acl

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

check_recipient:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :

# Accept anything from localhost, and especially mailman which
# chokes badly if you refuse its mail

accept hosts = 127.0.0.1/8

# Accept mail from hosts in the White List
# accept hosts = +white_list_from (previous way I was doing it)
accept hosts = net-iplsearch;/etc/exim/acls/whitelist_from

# Deny if the local part contains . or @ or % or / or | or !. These are rarely
(snip)
Ok, got it ... thx's :)

so you found this to work with CIDR masking then ??

Mickalo
 

Kent Brockman

Well-Known Member
PartnerNOC
Jan 20, 2008
1,272
63
178
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Hello, I've tried this and didn't worked to me. I'm on a VPS with WHM 11.23.2 cPanel 11.23.6-S27698 and I need to block some large IP ranges in Exim.
Is there any way to make it work?
 

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
Hello, I've tried this and didn't worked to me. I'm on a VPS with WHM 11.23.2 cPanel 11.23.6-S27698 and I need to block some large IP ranges in Exim.
Is there any way to make it work?
This is nearly a 2 year old thread.

You should no longer edit exim.conf to perform these IP blocks or whitelists. You will do this from WHM > Exim Configuration Editor. Take a look at:

Blacklist: Drop connections from defined IP Blocks upon SMTP connection [EDIT]

Where it says "EDIT" you can add large blocks of IPs, if you wish.

Per the instructions:

Hosts cannot be used in this list (example: mx1.cpanel.net)
Ips can be used in this list (example: 127.0.0.1)
Ip Blocks can be used in this list (example: 192.168.0.1/24)

So, CIDR addressing works just fine.

- Scott