> From: John L <[EMAIL PROTECTED]>
> I just upgraded from 1.3.25 to 1.3.49, and the IP whitelisting has
> changed, marking a whole lot of mail as whitelisted that never used to be.
> I use a perl script that feeds incoming mail through dccifd, and I'm
> seeing reports like this:
>
> X-DCC-IECC-Metrics: tom.iecc.com 1107; IP=ok Body=1 Fuz1=many Fuz2=many
>
> As far as I can tell, none of the IPs in the message headers match any of
> the IPs in the whitelist files. How can I even tell what IP it thinks
> it's whitelisting?
To see what the DCC client thinks it is doing, check the log files.
dccifd discloses what it thinks is the SMTP client IP address
in /var/dcc/log/... files. It may be necessary to set DCCM_LOG_AT=0
in /var/dcc/dcc_conf (or DCCIFD_LOG_AT) to generate the necessary log files.
One can also use dccproc to guess what dccifd is doing. For example,
I put modified copies of John's message in /tmp/q and tried
dccproc -QCi /tmp/q -El /tmp -call,0 -R -wwhiteclnt
to see if I could figure out anything from the resulting /tmp/msg.* files.
I wonder if the relevant change between 1.3.25 and 1.3.49 is related to
thise CHANGES file note for 1.3.32:
Recognize some more qmail variations of Received headers for obtaining
IP addresses.
If not told the SMTP client IP explicitly, dccifd tries to guess from
Received headers. It skips Received headers with IP addresses that are
listed as MX as MXDCC in /var/dcc/whiteclnt. Perhaps by skipping more
of qmail's useless noise Received: heades, dccifd is now reaching a
Received: header with an IP address marked "OK" in /var/dcc/whiteclnt.
....
Note that instead of "OK", local SMTP client IP address should often be
marked with the "SUBMIT" instead of "OK." The `man dcc` page now says:
MX
MXDCC
marks an IP address or block of addresses that are
SMTP MX servers for your mail system. The DCC
clients dccm(8), dccifd(8), and dccproc(8) skip ini-
tial Received: headers added by listed MX servers to
determine the external sources of mail messages.
Unsolicited bulk mail that has been forwarded through
listed addresses is discarded by dccm(8) and
dccifd(8) as if with -a DISCARD instead of rejected.
MXDCC marks addresses that are MX servers that run
DCC clients. The checksums for a mail message that
has been forwarded through an address listed as MXDCC
queried as if -Q had been used instead of reported.
submit
marks an IP address or CIDR block addresses of SMTP
submission clients such as web browsers that cannot
tolerate 4yz temporary rejections but that cannot be
trusted to not send spam. This does the equivalent
of the whiteclnt option forced-discard-ok.
Vernon Schryver [EMAIL PROTECTED]
_______________________________________________
DCC mailing list [email protected]
http://www.rhyolite.com/mailman/listinfo/dcc
