> From: Irelann Anderson > We've been experimenting with IPv6 for years, but real deployment has been > going on for only a few months. I recently noticed we had internal mail > clients and servers that were getting greylisted and I wanted to whitelist > our entire IPv6 block for now. My initial go at this was to add the > following line to grey_whitelist: > > ok IP 2610:48::/32 > > However dbclean produced the message: > > CIDR block length in 2610:48::/32 too large in line 24 of > /var/dcc/grey_whitelist > > On looking at the source code, it appears that I can't specify a prefix > shorter than /112. Since the smallest network you would normally use in > IPv6 has a prefix of /64, that makes whitelisting by network block a bit > difficult in IPv6. > > Am I reading this wrong or is there a way to do this that I've missed.
The reason for that restriction is that the DCC or DCC greylist server database does not really know the difference between the checksum of an IP address and the checksum of a message body. The server knows only about checksums. That is also why the greylist masking of IP addresses is done by the DCC client with `dccm -G IPmask/xx` or `dccifd -G IPmask/xx` To whitelist a class-B or /32 block of IP addresses for the server, dbclean adds 65,536 checksums to the database. You can see this by pointing dbclean at a test database with whitelist or grey_whitelist containing "ok IP 2610:48::/112" and then using `dblist -vvv` to look at the resulting file. Allowing an /8 IPv4 CIDR block of server whitelisting would be painful. A /32 IPv6 block would simpy not work; 2^96 is a big number. In other words, server whitelists are a generally bad idea that sounded good at the time but in the name of compatibility can't be killed. The solution is to add "ok IP 2610:48::/32" to the client whitelists. This may be more work than adding to the server whitelist, but it does a more complete job of whitelisting. Client-side whitelisted mail is not reported to the DCC server. It's hard to say which is more error prone. If you forget to add to /var/dcc/whiteclnt on one mail system, some mail won't get whitelisted if it hits that mail system. If you have more than one DCC server and miss one whitelist file, about the same bad thing happens. Vernon Schryver [email protected] _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
