On Nov 14, 2012, at 6:47 PM, Michael Holzt <k...@fqdn.org> wrote:
>> With that in mind, I made the following changes to qpsmtpd-dev and committed
>> them.
>
> While that looks good I would propose something completely different: Throw
> out all the code and replace with this one line:
>
> return (DECLINED) if ( $connection->relay_client );
>
> We already have the check_relay plugin which sole purpose is to determine
> if this is a relay_client. There is no point in duplicating that function
> in sender_permitted_from or other plugins.
Really good point. Done.
I had already peeked into the code in the relay plugin and was horrified to
find these lines:
$ip =~ s/::/:/;
$ip =~ s/(\d|\w)+(:|\.)?$// or last; # strip off another octet
Perhaps an illustration will demonstrate why:
use Net::IP;
my $ip = '2001:470:0000::1';
if ( $ip =~ /::/ ) {
$ip = Net::IP::ip_expand_address($ip,6);
};
print "expanded: $ip\n";
while ( $ip ) {
$ip =~ s/(\d|\w)+(:|\.)?$// or last; # strip off another octet
print "$ip\n";
};
% perl foo
expanded: 2001:0470:0000:0000:0000:0000:0000:0001
2001:0470:0000:0000:0000:0000:0000:
2001:0470:0000:0000:0000:0000:
2001:0470:0000:0000:0000:
2001:0470:0000:0000:
2001:0470:0000:
2001:0470:
2001:
That's how the code in the relay::is_octet_match is currently working. It lops
off an entire group of digits, or 16 bits of an IPv6 address. That's not even
close to an IPv4 octet as the comment describes.
I amended the relay plugin with the IPv6 code shown in the prior email, that
provides nibble boundary matching.
> We shall only make the relay_client plugin then be able to handle
> IPv6 entries in the relayclients config. Here I propose to only allow
> CIDR syntax (aabb:ccdd::/xx) and also reimplement the IPv4 checking
> so that it can handle CIDR syntax (a.b.c.d/xx) as well as stuff
> like 'x.y.z' (meaning x.y.z.0/24).
As you already noticed, CIDR syntax matches very reliably for IPv4 and IPv6. I
added IPv6 documentation entries in the relayclients config file as well:
# IPv6 formats can be compressed or expanded, may include a prefixlen,
# and can end on any nibble boundary. Nibble boundaries must be expressed
# in expanded format. (RFC 3849 example)
2001:0DB8
2001:DB8::1
2001:DB8::1/32
2001:0DB8:0000:0000:0000:0000:0000:0001
https://github.com/qpsmtpd-dev/qpsmtpd-dev/commit/78cab525826cdca4367553b6fb5293e9ff2f04e2
Matt
