sullise said:
While I respect the opinion...don't see why you found the need to solicit the opinion of "a bunch of people". LOL.
Because I could always be wrong
.
I don't see a reason for not checking to see if others agree with me. And I'm certainly willing to say so when I've been wrong.
Is there any realistic reason NOT to do it other then it goes against the opinion of a "bunch of people"? Will it cause security problems, servers to crash, upgrade problems?
It will not cause security problems. It will definitely use more machine resources during, for example, a dictionary attack.
Why? Because each email coming in will have to go through the entire multi-packet-exchange smtp handshake (ehlo, mail-from, rcpt-to) before exim (running as a user process) will check it against files on disk to see if it should be accepted or not.
If you use iptables (the userspace interface to the kernel's
netfilter, the packet is blocked the moment it's matched against a list residing in memory.
Don't get me wrong, I respect your opinion, just curious as to why it's an issue to begin with.
Being that I wrote the exim blocklist code we're debating, I'm concerned about people having higher expectations for it than they should have.
There are always more the one way to address an issue and not all will be the 'best', but doesn't mean they are wrong or don't work. And I think oxy made some compelling statements as to his reasoning.
The
constantly changing deny chain"? A read on the differences between how ipchains and iptables work is probbly in order, though it's probably too technical by several orders of magnitude for a discussion here. And even if we were using chains rather than hashed tables in memory we'd still have all the advantages of the efficient kernel code rather than the slow interpreted lookup (note the code isn't interpreted, but each exim thread must read and interpret the entire exim.conf file, and then in the case of ACLs, read each of the referenced files completely) of exim.
Here's an appropriate quote from a post to exim-users made Jan 17, 2006 by Dr Philip Hazel, the author of exim:
Remember that every Exim process
reads and processes the config file when it starts up, and this happens a lot. I used to get worried at the amount of processing this might require, but nobody else seems to care.
I'm not saying that exim isn't great. I'm not saying that exim isn't elegant. I'm not saying that exim isn't easy to use.
I'm only saying under certain circumstances (and a dictionary attack from one IP# is certainly one of them) exim is slower than using filter tables already built into the kernel.
Jeff