Re: [AMaViS-user] set policy bank for remote IP address not in MYNETWORKS?

Mark Martinec Fri, 06 Feb 2009 13:31:58 -0800

> Perhaps the following could do (just a sequential search list
> of pairs, the first is an argument to lookup_ip_acl, the second
> is a policy name):
>
> my(@some_other_networks) = qw( 10.0.1.0/24 10.0.2.0/24 );
>
> @client_ip_addr_policy = (
>   [ qw(0.0.0.0/8 127.0.0.1/8 [::] [::1]) ]            => 'LOCALHOST',
>   [ qw(!172.16.1.0/24 172.16.0.0/12 192.168.0.0/16) ] => 'MYPRIVATENETS',
>   [ qw(192.0.2.0/25 192.0.2.129 192.0.2.130) ]        => 'PARTNER',
>   \...@some_other_networks  => 'OTHER',
>   \...@mynetworks           => 'MYNETS',
> );


Try the following patch. Implements the above, just
note a change in a variable name, it's @client_ipaddr_policy,
not @client_ip_addr_policy.

The default setting for @client_ipaddr_policy is compatible
with existing code:
  @client_ip_addr_policy = ( \...@mynetworks => 'MYNETS' );


--- amavisd.orig        2008-12-15 01:50:09.000000000 +0100
+++ amavisd     2009-02-06 22:12:27.000000000 +0100
@@ -312,5 +312,5 @@
       %signed_header_fields @dkim_signature_options_bysender_maps
 
-      @local_domains_maps @mynetworks_maps
+      @local_domains_maps @mynetworks_maps @client_ipaddr_policy
       @newvirus_admin_maps @banned_filename_maps
       @spam_quarantine_bysender_to_maps
@@ -357,5 +357,6 @@
       $min_servers $min_spare_servers $max_spare_servers
       $child_timeout $smtpd_timeout
-      %current_policy_bank %policy_bank %interface_policy
+      %current_policy_bank %policy_bank
+      %interface_policy @client_ipaddr_policy
       $unix_socketname $inet_socket_port $inet_socket_bind $listen_queue_size
       $smtp_connection_cache_on_demand $smtp_connection_cache_enable
@@ -1353,4 +1354,6 @@
     \%local_domains, \...@local_domains_acl, \$local_domains_re);
   @mynetworks_maps = (\...@mynetworks);
+  @client_ipaddr_policy = map { $_ => 'MYNETS' } @mynetworks_maps;
+
   @bypass_virus_checks_maps = (
     \%bypass_virus_checks, \...@bypass_virus_checks_acl, 
\$bypass_virus_checks_re);
@@ -8874,13 +8877,16 @@
     if (ref($r) eq 'ARRAY')    # should be a ref to single IP lookup table
       { $policy_bank{$bank_name}{'inet_acl'} = Amavis::Lookup::IP->new(@$r) }
-    $r = $policy_bank{$bank_name}{'mynetworks_maps'};  # ref to list of tables
+    $r = $policy_bank{$bank_name}{'client_ipaddr_policy'};  # listref of pairs
     if (ref($r) eq 'ARRAY') {  # should be an array, test just to make sure
-      for my $table (@$r) # replace plain lists with Amavis::Lookup::IP objects
-        { $table = Amavis::Lookup::IP->new(@$table) if ref($table) eq 'ARRAY' }
+      my($odd) = 1;
+      for my $table (@$r) {  # replace plain lists with Amavis::Lookup::IP obj.
+        $table = Amavis::Lookup::IP->new(@$table)
+          if $odd && ref($table) eq 'ARRAY';
+        $odd = !$odd;
+      }
     }
   }
 }
 
-
 # initialize some remaining global variables in a master process;
 # invoked after chroot and after privileges have been dropped, before forking
@@ -15343,18 +15351,30 @@
     my($cl_ip)  = $msginfo->client_addr;
     my($cl_src) = $msginfo->client_source;
-    # treat unknown client IP address as 0.0.0.0, from "This" Network, rfc1700
-  # my($cl_ip_mynets) = defined $cl_src
-  #   ? (uc($cl_src) eq 'LOCAL' ? 1 : 0)     # local_header_rewrite_clients
-  #   : lookup_ip_acl(!defined($cl_ip) || $cl_ip eq '' ? '0.0.0.0' : $cl_ip,
-  #                   @{ca('mynetworks_maps')});
-    my($cl_ip_mynets) =
-        lookup_ip_acl(!defined($cl_ip) || $cl_ip eq '' ? '0.0.0.0' : $cl_ip,
-                      @{ca('mynetworks_maps')});
+    my($cl_ip_mynets, $policy_name_requested);
+    { 
+      my($cl_ip_tmp) = $cl_ip;
+      # treat unknown client IP address as 0.0.0.0, from "This" Network,rfc1700
+      $cl_ip_tmp = '0.0.0.0'  if !defined($cl_ip) || $cl_ip eq '';
+      my(@cp) = @{ca('client_ipaddr_policy')};
+      do_log(-1,"\...@client_ipaddr_policy must contain pairs, ".
+                "number of elements is not even")  if @cp % 2 != 0;
+      while (@cp) {
+        my($lookup_table) = shift(@cp);  my($policy_name) = shift(@cp);
+        if (lookup_ip_acl($cl_ip_tmp, $lookup_table)) {
+          if (defined $policy_name && $policy_name ne '') {
+            $policy_name_requested = $policy_name;
+            $cl_ip_mynets = 1  if $policy_name eq 'MYNETS';  # compatibility
+          }
+          last;
+        }
+      }
+    }
     $msginfo->client_addr_mynets($cl_ip_mynets);
     if (($cl_ip_mynets?1:0) > ($msginfo->originating?1:0)) {
       $current_policy_bank{'originating'} = $cl_ip_mynets;  # compatibility
     }
-    if ($cl_ip_mynets && defined $policy_bank{'MYNETS'}) {
-      Amavis::load_policy_bank('MYNETS');
+    if (defined $policy_name_requested &&
+        defined $policy_bank{$policy_name_requested}) {
+      Amavis::load_policy_bank($policy_name_requested);
     }
     for my $bank_name (@$bank_names_ref) {  # additional banks from the request
@@ -15989,17 +16009,30 @@
         my($cl_port)= $xforward_args{'PORT'};
         my($cl_src) = $xforward_args{'SOURCE'};  # local_header_rewrite_clients
-        # treat unknown client IP addr as 0.0.0.0, from "This" Network, rfc1700
-      # my($cl_ip_mynets) = defined $cl_src
-      #   ? (uc($cl_src) eq 'LOCAL' ? 1 : 0)     # local_header_rewrite_clients
-      #   : lookup_ip_acl(!defined($cl_ip)||$cl_ip eq '' ? '0.0.0.0' : $cl_ip,
-      #                   @{ca('mynetworks_maps')});
-        my($cl_ip_mynets) =
-            lookup_ip_acl(!defined($cl_ip)||$cl_ip eq '' ? '0.0.0.0' : $cl_ip,
-                          @{ca('mynetworks_maps')});
+        my($cl_ip_mynets, $policy_name_requested);
+        { 
+          my($cl_ip_tmp) = $cl_ip;
+          # treat unknown client IP address as 0.0.0.0,
+          # from "This" Network, rfc1700
+          $cl_ip_tmp = '0.0.0.0'  if !defined($cl_ip) || $cl_ip eq '';
+          my(@cp) = @{ca('client_ipaddr_policy')};
+          do_log(-1,"\...@client_ipaddr_policy must contain pairs, ".
+                    "number of elements is not even")  if @cp % 2 != 0;
+          while (@cp) {
+            my($lookup_table) = shift(@cp);  my($policy_name) = shift(@cp);
+            if (lookup_ip_acl($cl_ip_tmp, $lookup_table)) {
+              if (defined $policy_name && $policy_name ne '') {
+                $policy_name_requested = $policy_name;
+                $cl_ip_mynets = 1  if $policy_name eq 'MYNETS'; # compatibility
+              }
+              last;
+            }
+          }
+        }
         if (($cl_ip_mynets?1:0) > ($msginfo->originating?1:0)) {
           $current_policy_bank{'originating'} = $cl_ip_mynets;  # compatibility
         }
-        if ($cl_ip_mynets && defined $policy_bank{'MYNETS'}) {
-          Amavis::load_policy_bank('MYNETS');
+        if (defined $policy_name_requested &&
+            defined $policy_bank{$policy_name_requested}) {
+          Amavis::load_policy_bank($policy_name_requested);
         }
         $msginfo->originating(c('originating'));



Mark

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] set policy bank for remote IP address *not* in MYNETWORKS?

Reply via email to

Re: [AMaViS-user] set policy bank for remote IP address not in MYNETWORKS?