subject:"serious bug with check_client

Re: serious bug with check_client_access

2010-11-06 Thread mouss


Le 05/11/2010 10:03, Vincent Lefevre a écrit :



[hash/cdb/...]

- if parent_domain_matches_subdomains contains smtpd_access: here, the
search list is
 S = ( lab1.lab2.lab3.example.com, lab2.lab3.example.com,
lab3.example.com ..., com, 1.2.3.4, 1.2.3, 1.2, 1 )
so postfix will search for each element of this set and stops as soon as a
match is found.

Testing the tld alone seems to be excluded by the access(5) man page,
which only documents domain.tld, i.e. the pattern must contain
at least one dot.


No dot required. so com is not excluded from the search list.
otherwise, hash/cdb and the like can't be used to block mail from 
*...@*.invalid for example.



  Is it an error in the man page (which could say
domain instead, like in Section Email address extension) or is
it intentional?


yes, it should be domain instead of domain.tld. you can submit a 
documentation patch;-p

Re: serious bug with check_client_access

2010-11-06 Thread mouss


Le 05/11/2010 09:48, Vincent Lefevre a écrit :

On 2010-11-04 23:36:04 -0300, Reinaldo de Carvalho wrote:

On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevrevinc...@vinc17.net  wrote:

Yes, it will generate *some* lookups, but it doesn't say exactly
*which* lookups. That was precisely my question.

- client hostname (reverse dns hostname)
- client IP address.

OK, and mous said in that order (but maybe that's just the current
implementation, and the user shouldn't rely on the order for the
future).



Given all the compatibility efforts invested in postfix (thanks to 
Wietse and others), I doubt this will change.


That said, I believe it's better not to rely on, be it just for clarity. 
having things like


example.comrestriction_class_1
192.0.2  restriction_class_2

(with different restriction classes or results) in the same map is a 
call for trouble!


also, for IP addresses, better use cidr (I mean the map type, not a 
bottle from Normandy;-p).

Re: serious bug with check_client_access

2010-11-05 Thread Vincent Lefevre

On 2010-11-04 23:36:04 -0300, Reinaldo de Carvalho wrote:
 On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre vinc...@vinc17.net wrote:
  Yes, it will generate *some* lookups, but it doesn't say exactly
  *which* lookups. That was precisely my question.
 
 - client hostname (reverse dns hostname)
 - client IP address.

OK, and mous said in that order (but maybe that's just the current
implementation, and the user shouldn't rely on the order for the
future).

 if smtpd_access_maps in parent_domain_matches_subdomains.
 - compare client hostname without the first part at left by dot
 - compare client hostname without the first and the second part at
 left by dot (and recursively at the TDL)

but not with a regular expression table.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-05 Thread Vincent Lefevre

On 2010-11-05 06:21:20 +0100, mouss wrote:
 in short, for each map, you have multiple parameters:
 - the map type
 - the search context (check_client_access, check_sender_acces, ...
 transport, virtual_alias_maps, ... etc)
 - the list of search keys
[...]

Thanks a lot for this very detailed answer. This was exactly the kind
of description I was looking for. I have only one comment:

 [hash/cdb/...]
 
 - if parent_domain_matches_subdomains contains smtpd_access: here, the
 search list is
 S = ( lab1.lab2.lab3.example.com, lab2.lab3.example.com,
 lab3.example.com ..., com, 1.2.3.4, 1.2.3, 1.2, 1 )
 so postfix will search for each element of this set and stops as soon as a
 match is found.

Testing the tld alone seems to be excluded by the access(5) man page,
which only documents domain.tld, i.e. the pattern must contain
at least one dot. Is it an error in the man page (which could say
domain instead, like in Section Email address extension) or is
it intentional?

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-05 Thread Stan Hoeppner

Vincent Lefevre put forth on 11/5/2010 4:03 AM:

 Testing the tld alone seems to be excluded by the access(5) man page,
 which only documents domain.tld, i.e. the pattern must contain
 at least one dot. Is it an error in the man page (which could say
 domain instead, like in Section Email address extension) or is
 it intentional?

If you want to block rDNS TLDs this PCRE works with check_client_access:

/^.*?(info|kr|jp|sg|qa)$/i 550 We do not accept mail from .$1 domains

You could also use this for check_sender_access, check_helo_access,
etc--it should work with any check that passes a string with .tld in it.

-- 
Stan

Re: serious bug with check_client_access

2010-11-04 Thread Покотиленко Костик

В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет:
 On 11/3/2010 10:00 PM, Vincent Lefevre wrote:
  On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
  .domain.tld only works if parent_domain_matches_subdomains does NOT
  include smtpd_access maps.
 
  The man page says nothing like that. So, the documentation should be
  fixed.
 
 
 The vast majority of readers seem to interpret that section as 
 intended.  You're welcome to post a documentation patch in a 
 new thread, but I don't think the behavior or its 
 documentation has changed in ~10 years, so don't hold your breath.

Vast majority even believe in strange things...

Actually I read that section exactly like Vincent Lefevre.

I'll comment:

 The access(5) man page says:

   domain.tld
Matches domain.tld.

The  pattern  domain.tld also matches subdomains, but only
when the string smtpd_access_maps is listed in the Postfix
parent_domain_matches_subdomains   configuration  setting.
Otherwise, specify .domain.tld (note the initial  dot)  in
order to match subdomains.

I read Otherwise as If you don't like to depend on the value of
parent_domain_matches_subdomains

specify .domain.tld (note the initial  dot) in order to match
subdomains means exactly that using .domain.tld form WILL match
subdomains with no other condition.

Also regarding to what you are telling there is no difference in those
two sentences, and it's completelly unclear in what those two notation
forms differ and why author has written one idea in two sentences.

Check your English ;)

 And next time behavior doesn't match your expectations, you 
 might get more sympathy if your message starts with please 
 clarify this for me rather than serious bug.

If behavior doesn't match your expectations and also doesn't match docs
it's a bug, either in soft or in docs.

-- 
Покотиленко Костик cas...@meteor.dp.ua

Re: serious bug with check_client_access

2010-11-04 Thread Emmanuel Fusté


Le 04/11/2010 05:24, Noel Jones a écrit :

On 11/3/2010 11:07 PM, Vincent Lefevre wrote:

BTW, so, there is no way to match only subdomains (by that, I mean
all possible subdomains, but not the domain itself) without changing
parent_domain_matches_subdomains?


That's correct with indexed tables.  With regexp or pcre tables there
is no automatic subdomain search; you control the scope of the search
with your expression.

To answer your other question, when parent_domain_matches_subdomains
includes smtpd_access_maps (the default), the form .domain.tld is
never searched for. As a result, the entry is silently ignored.

  -- Noel Jones

Good to know, that is not what I expected too.
Hopefully, I generaly clear parent_domain_matches_subdomains in my 
configurations.


Emmanuel.

Re: serious bug with check_client_access

2010-11-04 Thread lst_hoe02


Zitat von Покотиленко Костик cas...@meteor.dp.ua:


В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет:

On 11/3/2010 10:00 PM, Vincent Lefevre wrote:
 On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
 .domain.tld only works if parent_domain_matches_subdomains does NOT
 include smtpd_access maps.

 The man page says nothing like that. So, the documentation should be
 fixed.


The vast majority of readers seem to interpret that section as
intended.  You're welcome to post a documentation patch in a
new thread, but I don't think the behavior or its
documentation has changed in ~10 years, so don't hold your breath.


Vast majority even believe in strange things...

Actually I read that section exactly like Vincent Lefevre.

I'll comment:


The access(5) man page says:

  domain.tld
   Matches domain.tld.

   The  pattern  domain.tld also matches subdomains, but only
   when the string smtpd_access_maps is listed in the Postfix
   parent_domain_matches_subdomains   configuration  setting.
   Otherwise, specify .domain.tld (note the initial  dot)  in
   order to match subdomains.


I read Otherwise as If you don't like to depend on the value of
parent_domain_matches_subdomains


Otherwise is clearly related to the last part of the previous  
statement. If it is unclear, ask for clarification. Crying loud  
serious bug because your language interpretation is different from  
others is not helpful at all.


Regards

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature

Re: serious bug with check_client_access

2010-11-04 Thread Покотиленко Костик

В Чтв, 04/11/2010 в 10:44 +0100, lst_ho...@kwsoft.de пишет:
 Zitat von Покотиленко Костик cas...@meteor.dp.ua:
 
  В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет:
  On 11/3/2010 10:00 PM, Vincent Lefevre wrote:
   On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
   .domain.tld only works if parent_domain_matches_subdomains does NOT
   include smtpd_access maps.
  
   The man page says nothing like that. So, the documentation should be
   fixed.
  
 
  The vast majority of readers seem to interpret that section as
  intended.  You're welcome to post a documentation patch in a
  new thread, but I don't think the behavior or its
  documentation has changed in ~10 years, so don't hold your breath.
 
  Vast majority even believe in strange things...
 
  Actually I read that section exactly like Vincent Lefevre.
 
  I'll comment:
 
  The access(5) man page says:
 
domain.tld
 Matches domain.tld.
 
 The  pattern  domain.tld also matches subdomains, but only
 when the string smtpd_access_maps is listed in the Postfix
 parent_domain_matches_subdomains   configuration  setting.
 Otherwise, specify .domain.tld (note the initial  dot)  in
 order to match subdomains.
 
  I read Otherwise as If you don't like to depend on the value of
  parent_domain_matches_subdomains
 
 Otherwise is clearly related to the last part of the previous  
 statement. If it is unclear, ask for clarification.

Actually it's not clear to what condition the Otherwise is a conter
part. So it's being decided by a reader's logic wich differs sometimes.

I'm myself understood the actual meaning only after clarification on
this list. And, pleople would ask for clarification only if they can't
understand what is being ment, and not in case they think they
unsterstand.

Also, it's completelly unstated that .domain.tld notation doesn't work
if smtpd_access_maps is listed in parent_domain_matches_subdomains.

  Crying loud  
 serious bug because your language interpretation is different from  
 others is not helpful at all.

List subscriber classified this situation as a serious bug from it's
point of view, and I think this is correct. If you don't agree, just
reclassify it.

BTW, clear docs save much time for both, the user, the list.

So, I suggest rewritiing this paragraph as following:

The  pattern  domain.tld also matches subdomains, but only
when the string smtpd_access_maps is listed in the Postfix
parent_domain_matches_subdomains   configuration  setting.
The  pattern .domain.tld (note the initial  dot) matches
only subdomains and only when the string
smtpd_access_maps is NOT listed in the Postfix
parent_domain_matches_subdomains configuration setting,
otherwise it's ignored.

Is this correct?

-- 
Покотиленко Костик cas...@meteor.dp.ua

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote:
 The access(5) man page says:
 
   domain.tld
Matches domain.tld.
 
The  pattern  domain.tld also matches subdomains, but only
when the string smtpd_access_maps is listed in the Postfix
parent_domain_matches_subdomains   configuration  setting.
Otherwise, specify .domain.tld (note the initial  dot)  in
order to match subdomains.
 
 I read Otherwise as If you don't like to depend on the value of
 parent_domain_matches_subdomains
 
 Otherwise is clearly related to the last part of the previous statement.

Yes, but it adds information in the case where smtpd_access_maps IS NOT
listed in the Postfix parent_domain_matches_subdomains configuration
setting.

The problem occurs when smtpd_access_maps IS listed in the Postfix
parent_domain_matches_subdomains configuration setting. What the
man page says in THIS case is: The pattern domain.tld also matches
subdomains where the pattern domain.tld can be .twitter.com for
instance.

I don't think there is anything wrong with my reasoning.

 If it is unclear, ask for clarification. Crying loud serious bug
 because your language interpretation is different from others is not
 helpful at all.

As for me, the documentation was clear and didn't match the observed
behavior. So, I couldn't say that it was unclear.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Documentation (was: serious bug with check_client_access)

2010-11-04 Thread Wietse Venema

Vincent Lefevre:
 On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote:
  The access(5) man page says:
  
domain.tld
 Matches domain.tld.
  
 The  pattern  domain.tld also matches subdomains, but only
 when the string smtpd_access_maps is listed in the Postfix
 parent_domain_matches_subdomains   configuration  setting.
 Otherwise, specify .domain.tld (note the initial  dot)  in
 order to match subdomains.

I can replace that Otherwise... sentence by a separate list item.

   domain.tld
  Matches domain.tld.

  The pattern domain.tld also matches subdomains, but only
  when the string smtpd_access_maps is listed in the Postfix
  parent_domain_matches_subdomains configuration setting.

   .domain.tld
  Matches subdomains of domain.tld, but only when the
  string smtpd_access_maps is not listed in the Postfix
  parent_domain_matches_subdomains configuration setting.

We can afford the space used by the extra bits.

Wietse

Re: Documentation (was: serious bug with check_client_access)

2010-11-04 Thread /dev/rob0

On Thu, Nov 04, 2010 at 10:56:57AM -0400, Wietse Venema wrote:
 Vincent Lefevre:
  On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote:
   The access(5) man page says:
   
 domain.tld
  Matches domain.tld.
   
  The  pattern  domain.tld also matches subdomains, but only
  when the string smtpd_access_maps is listed in the Postfix
  parent_domain_matches_subdomains   configuration  setting.
  Otherwise, specify .domain.tld (note the initial  dot)  in
  order to match subdomains.
 
 I can replace that Otherwise... sentence by a separate list item.
 
domain.tld
   Matches domain.tld.
 
 The pattern domain.tld also matches subdomains, but only
 when the string smtpd_access_maps is listed in the Postfix
 parent_domain_matches_subdomains configuration setting.
 
.domain.tld
 Matches subdomains of domain.tld, but only when the
 string smtpd_access_maps is not listed in the Postfix
 parent_domain_matches_subdomains configuration setting.

I like this. I think it's clearer. I, too, once misinterpreted this 
passage, and whilst it might not qualify as a postfix-users FAQ, it 
does come up regularly here.

Perhaps some more flesh could be added here as well:

parent_domain_matches_subdomains (default: see postconf -d output)
   What  Postfix  features match subdomains of domain.tld 
   automatically, instead of requiring an explicit .domain.tld 
   pattern.  This is planned backwards compatibility:  
   eventually, all Postfix features are expected to require 
   explicit .domain.tld style patterns when you really want to
   match subdomains.

Such as:

   Possible strings include debug_peer_list, fast_flush_domains, 
   mynetworks, permit_mx_backup_networks, qmqpd_authorized_clients,
   relay_domains, and smtpd_access_maps.

   Note: the leading dot .domain.tld pattern is ignored for
   features which are listed in parent_domain_matches_subdomains.


The string list is taken from my own postconf -d, are there others 
which might be used in some cases? I guess all of those except 
smtpd_access_maps would be hyperlinked; and maybe that could link to 
access.5.html.
-- 
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header

Re: Documentation (was: serious bug with check_client_access)

2010-11-04 Thread Vincent Lefevre

On 2010-11-04 10:28:00 -0500, /dev/rob0 wrote:
 On Thu, Nov 04, 2010 at 10:56:57AM -0400, Wietse Venema wrote:
  I can replace that Otherwise... sentence by a separate list item.
  
 domain.tld
Matches domain.tld.
  
The pattern domain.tld also matches subdomains, but only
when the string smtpd_access_maps is listed in the Postfix
parent_domain_matches_subdomains configuration setting.
  
 .domain.tld
Matches subdomains of domain.tld, but only when the
string smtpd_access_maps is not listed in the Postfix
parent_domain_matches_subdomains configuration setting.
 
 I like this. I think it's clearer. I, too, once misinterpreted this 
 passage, and whilst it might not qualify as a postfix-users FAQ, it 
 does come up regularly here.

I still think that it's a bit ambiguous, because I was seeing
.domain.tld as a subcase of domain.tld (domain being a
sequence of allowed characters including dots). Correct me if
I'm wrong (I haven't tested and don't know what postfix does
internally), but would changing the beginning by

domain.tld
   Matches domain.tld, where domain may contain dots, but
   must not start with a dot.

be what is really intended?

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread mouss


Le 04/11/2010 05:07, Vincent Lefevre a écrit :

On 2010-11-03 22:55:59 -0500, Noel Jones wrote:

I'm so sorry you lost your twitter post.

Actually I might have lost other mail (though this is a bit unlikely)
since I was generally using an initial dot.


a good idea is to include both dotted and undotted entries:
example.comOK
.example.comOK
unless you have a reason not to do so.

if you search the archives for posts I've sent, you'll see that I always 
include both.


also, parent_domain_... is deprecated. See
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

The recommendation is to empty it and use dots explicitely. here:
# postconf parent_domain_matches_subdomains
parent_domain_matches_subdomains =



The access map format you're looking for is
twitter.com  OK

Thanks for the information. I've corrected the whole access file.

BTW, so, there is no way to match only subdomains (by that, I mean
all possible subdomains, but not the domain itself) without changing
parent_domain_matches_subdomains?



see above: it is recommended not to rely on parent_domain_...

otherwise, you can do whatever you want with pcre:
/\.example\.com$/OK
or with sql or ldap.



I don't currently need such a feature, but I'm asking just in case...

THREAD KILLED: Documentation (was: serious bug with check_client_access)

2010-11-04 Thread Victor Duchovni

On Thu, Nov 04, 2010 at 05:02:25PM +0100, Vincent Lefevre wrote:

 I still think that it's a bit ambiguous, because I was seeing
 .domain.tld as a subcase of domain.tld

This objection is spurious, and constitutes trolling. Please do not feed
the trolls.

For the record, elementary logic:

If there are two cases:

domain.tld

and

.domain.tld

and the documentation is not deliberately obfuscated, then the two
cases are distinct. This is clear enough.

The current informal style is more readable. There is no need for
a BNF grammar.

However, there is no point in continuing this thread. The OP has consumed
all the bandwidth he deserves and more.

-- 
Viktor.

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-04 17:18:17 +0100, mouss wrote:
 otherwise, you can do whatever you want with pcre:
 /\.example\.com$/OK
 or with sql or ldap.

For pcre, the man page is not clear. It says:

  Each  pattern  is  a  regular  expression that is applied to the entire
  string being looked up. Depending on the application, that string is an
  entire  client hostname, an entire client IP address, or an entire mail
  address.

But where is it described whether the string is an entire client
hostname, an entire client IP address, or an entire mail address?

According to your example, the string is an entire client hostname.
But then, this means that one cannot match IP addresses.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread Stan Hoeppner

Vincent Lefevre put forth on 11/4/2010 6:04 PM:
 On 2010-11-04 17:18:17 +0100, mouss wrote:
 otherwise, you can do whatever you want with pcre:
 /\.example\.com$/OK
 or with sql or ldap.
 
 For pcre, the man page is not clear. It says:
 
   Each  pattern  is  a  regular  expression that is applied to the entire
   string being looked up. Depending on the application, that string is an
   entire  client hostname, an entire client IP address, or an entire mail
   address.
 
 But where is it described whether the string is an entire client
 hostname, an entire client IP address, or an entire mail address?

check_client_access pcre:/etc/postfix/filter.pcre
check_sender_access pcre:/etc/postfix/filter.pcre
check_recipient_access  pcre:/etc/postfix/filter.pcre

As you can see, this is defined by the smtpd_foo_restriction you target
the PCRE table with.  What is checked against the table is dependent on
the restriction used.  Read the documentation for each check_*_access
restriction above at:  http://www.postfix.org/postconf.5.html

-- 
Stan

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote:
 check_client_access   pcre:/etc/postfix/filter.pcre
 check_sender_access   pcre:/etc/postfix/filter.pcre
 check_recipient_accesspcre:/etc/postfix/filter.pcre
 
 As you can see, this is defined by the smtpd_foo_restriction you target
 the PCRE table with.  What is checked against the table is dependent on
 the restriction used.  Read the documentation for each check_*_access
 restriction above at:  http://www.postfix.org/postconf.5.html

On this page, it is said:

  check_client_access type:table
Search the specified access database for the client hostname,
 ^^^
parent domains, client IP address, or networks obtained by
^
stripping least significant octets. See the access(5) manual page
for details.

And in the access(5) manual page:

 Depending on the application, that string is an entire client
 hostname, an entire client IP address, or an entire mail address.

So, which string is checked when a pcre table is used with
check_client_access? The client hostname or the client IP address?

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread Wietse Venema

Vincent Lefevre:
 On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote:
  check_client_access pcre:/etc/postfix/filter.pcre
  check_sender_access pcre:/etc/postfix/filter.pcre
  check_recipient_access  pcre:/etc/postfix/filter.pcre
  
  As you can see, this is defined by the smtpd_foo_restriction you target
  the PCRE table with.  What is checked against the table is dependent on
  the restriction used.  Read the documentation for each check_*_access
  restriction above at:  http://www.postfix.org/postconf.5.html
 
 On this page, it is said:
 
   check_client_access type:table
 Search the specified access database for the client hostname,
  ^^^
 parent domains, client IP address, or networks obtained by
 ^
 stripping least significant octets. See the access(5) manual page
 for details.
 
 And in the access(5) manual page:
 
  Depending on the application, that string is an entire client
  hostname, an entire client IP address, or an entire mail address.
 
 So, which string is checked when a pcre table is used with
 check_client_access? The client hostname or the client IP address?

check_client_access searches the address and domain with ALL lookup
table types. It just doesn't do the substring lookups with PCRE,
REGEXP and CIDR.

Wietse

Re: serious bug with check_client_access

2010-11-04 Thread Jeroen Geilman


On 11/05/2010 01:26 AM, Vincent Lefevre wrote:

On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote:
   

check_client_access pcre:/etc/postfix/filter.pcre
check_sender_access pcre:/etc/postfix/filter.pcre
check_recipient_access  pcre:/etc/postfix/filter.pcre

As you can see, this is defined by the smtpd_foo_restriction you target
the PCRE table with.  What is checked against the table is dependent on
the restriction used.  Read the documentation for each check_*_access
restriction above at:  http://www.postfix.org/postconf.5.html
 

On this page, it is said:

   check_client_access type:table
 Search the specified access database for the client hostname,
  ^^^
 parent domains, client IP address, or networks obtained by
 ^
 stripping least significant octets. See the access(5) manual page
 for details.

And in the access(5) manual page:

  Depending on the application, that string is an entire client
  hostname, an entire client IP address, or an entire mail address.

So, which string is checked when a pcre table is used with
check_client_access? The client hostname or the client IP address?
   


*REGULAR EXPRESSION TABLES*
   This section describes how the table lookups  change  when
   the table is given in the form of regular expressions. For
   a description of regular expression lookup  table  syntax,
   see*regexp_table*(5)  http://www.postfix.org/regexp_table.5.html  
or*pcre_table*(5)  http://www.postfix.org/pcre_table.5.html.

   Each  pattern  is  a regular expression that is applied to
   the entire string being looked up. Depending on the appli-
   cation,  that  string  is  an  entire  client hostname, an
   entire client IP address, or an entire mail address. Thus,
   no  parent  domain  or  parent  network  search  is  done,
   /u...@domain/  mail addresses are not broken  up  into  their
   /user@/  and/domain/  constituent parts, nor is/user+foo/  broken
   up into/user/  and/foo/.

   Patterns are applied in the order as specified in the  ta-
   ble,  until  a  pattern  is  found that matches the search
   string.

   Actions are the same as with indexed  file  lookups,  with
   the  additional feature that parenthesized substrings from
   the pattern can be interpolated as*$1*,*$2*  and so on.


I copied the entire section detailing PCRE access matches for you, since 
you seem unable to find it.


How many domain names look like IP addresses to you ?

If check_client_access matches against both IPs and hostnames, then your 
regex table will match against both IPs and hostnames.


Also read http://www.postfix.org/pcre_table.5.html for more detail on 
PCRE maps.


--
J.

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-04 20:33:11 -0400, Wietse Venema wrote:
 check_client_access searches the address and domain with ALL lookup
 table types. It just doesn't do the substring lookups with PCRE,
 REGEXP and CIDR.

If I understand correctly, there's another difference: in the default
table format, the string to be checked depends on the pattern form
(e.g. hostname for domain.tld, IP address for net.work.addr.ess), but
for pcre, both strings are checked against all patterns?

So, with pcre, if I want to check whether the IP address starts with
1.2.3, I need something like:

  /^1\.2\.3\.[0-9]+$/

because /^1\.2\.3\./ could also match hostnames (I've noticed in my
mail archives that hostnames of this form occur in practice).

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-05 01:38:37 +0100, Jeroen Geilman wrote:
 *REGULAR EXPRESSION TABLES*
This section describes how the table lookups  change  when
the table is given in the form of regular expressions. For
a description of regular expression lookup  table  syntax,
see*regexp_table*(5)  http://www.postfix.org/regexp_table.5.html  
 or*pcre_table*(5)  http://www.postfix.org/pcre_table.5.html.
 
Each  pattern  is  a regular expression that is applied to
the entire string being looked up. Depending on the appli-
cation,  that  string  is  an  entire  client hostname, an
entire client IP address, or an entire mail address. Thus,
no  parent  domain  or  parent  network  search  is  done,
/u...@domain/  mail addresses are not broken  up  into  their
/user@/  and/domain/  constituent parts, nor is/user+foo/  broken
up into/user/  and/foo/.
 
Patterns are applied in the order as specified in the  ta-
ble,  until  a  pattern  is  found that matches the search
string.
 
Actions are the same as with indexed  file  lookups,  with
the  additional feature that parenthesized substrings from
the pattern can be interpolated as*$1*,*$2*  and so on.
 
 
 I copied the entire section detailing PCRE access matches for you,
 since you seem unable to find it.

Useless answer. If you had read my message, you would have seen that
I quoted from it.

 How many domain names look like IP addresses to you ?
 
 If check_client_access matches against both IPs and hostnames, then your
 regex table will match against both IPs and hostnames.

This is not what the documentation says:

  Depending on the application, that string is an entire client
  hostname, an entire client IP address, or an entire mail address.
 ^^

It is said or, and or doesn't mean both. Quite the opposite.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread Jeroen Geilman


On 11/05/2010 01:57 AM, Vincent Lefevre wrote:

On 2010-11-05 01:38:37 +0100, Jeroen Geilman wrote:
   

*REGULAR EXPRESSION TABLES*
This section describes how the table lookups  change  when
the table is given in the form of regular expressions. For
a description of regular expression lookup  table  syntax,
see*regexp_table*(5)http://www.postfix.org/regexp_table.5.html   
or*pcre_table*(5)http://www.postfix.org/pcre_table.5.html.

Each  pattern  is  a regular expression that is applied to
the entire string being looked up. Depending on the appli-
cation,  that  string  is  an  entire  client hostname, an
entire client IP address, or an entire mail address. Thus,
no  parent  domain  or  parent  network  search  is  done,
/u...@domain/  mail addresses are not broken  up  into  their
/user@/  and/domain/  constituent parts, nor is/user+foo/  broken
up into/user/  and/foo/.

Patterns are applied in the order as specified in the  ta-
ble,  until  a  pattern  is  found that matches the search
string.

Actions are the same as with indexed  file  lookups,  with
the  additional feature that parenthesized substrings from
the pattern can be interpolated as*$1*,*$2*  and so on.


I copied the entire section detailing PCRE access matches for you,
since you seem unable to find it.
 

Useless answer. If you had read my message, you would have seen that
I quoted from it.
   


And yet you didn't understand what it says.
It bears repeating.


How many domain names look like IP addresses to you ?

If check_client_access matches against both IPs and hostnames, then your
regex table will match against both IPs and hostnames.
 

This is not what the documentation says:

   Depending on the application, that string is an entire client
   hostname, an entire client IP address, or an entire mail address.
  ^^

It is said or, and or doesn't mean both. Quite the opposite.
   



If you combine

Each  pattern  is  a regular expression that is applied to the entire string 
being looked up.


with
*
check_client_access /type:table 
http://www.postfix.org/DATABASE_README.html/*

   Search the specified access database for the client hostname, parent
   domains, client IP address, or networks obtained by stripping least
   significant octets. See the access(5)
   http://www.postfix.org/access.5.html manual page for details.

the result is as explained.

Nowhere in the entire documentation is it mentioned that a regex table 
will ONLY match a domain OR an IP address.


If it's not in the manual, then it's not supported.

--
J.

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-05 02:29:53 +0100, Jeroen Geilman wrote:
 If you combine
 
 Each  pattern  is  a regular expression that is applied to the entire string 
 being looked up.
 
 
 with
 *
 check_client_access /type:table
 http://www.postfix.org/DATABASE_README.html/*
Search the specified access database for the client hostname, parent
domains, client IP address, or networks obtained by stripping least
 ^^
significant octets. See the access(5)
http://www.postfix.org/access.5.html manual page for details.
 
 the result is as explained.

It is said or, not and.

 Nowhere in the entire documentation is it mentioned that a regex table will
 ONLY match a domain OR an IP address.

Read again what you quoted above.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread Reinaldo de Carvalho

On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho
reinal...@gmail.com wrote:

 check_client_access type:table
    Search the specified access database for the client hostname,
 parent domains, client IP address, or networks obtained by stripping
 least significant octets. See the access(5) manual page for details.

 This means that not import the table type, each check_client_access
 entry in restriction, will generate some lookups.


This means that not matter the table type.

 I'll change my tombstone words for you: While not fully understand a
 documentation, don't try to adapt this documentation to the way you
 work, but rather yourself to the way the documentation works.


-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

While not fully understand a software, don't try to adapt this
software to the way you work, but rather yourself to the way the
software works (myself)

Re: serious bug with check_client_access

2010-11-04 Thread Stan Hoeppner

Vincent Lefevre put forth on 11/4/2010 7:49 PM:
 On 2010-11-04 20:33:11 -0400, Wietse Venema wrote:
 check_client_access searches the address and domain with ALL lookup
 table types. It just doesn't do the substring lookups with PCRE,
 REGEXP and CIDR.
 
 If I understand correctly, there's another difference: in the default
 table format, the string to be checked depends on the pattern form
 (e.g. hostname for domain.tld, IP address for net.work.addr.ess), but
 for pcre, both strings are checked against all patterns?
 
 So, with pcre, if I want to check whether the IP address starts with
 1.2.3, I need something like:
 
   /^1\.2\.3\.[0-9]+$/
 
 because /^1\.2\.3\./ could also match hostnames (I've noticed in my
 mail archives that hostnames of this form occur in practice).

This is why you need to use fully qualified patterns when matching
forward/reverse hostnames.  For example:

/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.dyn\.isp\.net$/ REJECT

In practice, most ISPs don't have a /8 worth of dynamically assigned
addresses, usually a /16 or less.  So for a specific ISP dynamic range
it would look my like this:

/^201\.33\.[0-9]{1,3}\.[0-9]{1,3}\.dyn\.isp\.net$/ REJECT

That will match a /16 of rDNS patterns only at the ISP isp.net

-- 
Stan

Re: serious bug with check_client_access

2010-11-04 Thread Vincent Lefevre

On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote:
 On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho
 reinal...@gmail.com wrote:
 
  check_client_access type:table
     Search the specified access database for the client hostname,
  parent domains, client IP address, or networks obtained by stripping
  least significant octets. See the access(5) manual page for details.
 
  This means that not import the table type, each check_client_access
  entry in restriction, will generate some lookups.
 
 This means that not matter the table type.

Yes, it will generate *some* lookups, but it doesn't say exactly
*which* lookups. That was precisely my question.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-04 Thread Reinaldo de Carvalho

On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre vinc...@vinc17.net wrote:
 On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote:
 On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho
 reinal...@gmail.com wrote:
 
  check_client_access type:table
     Search the specified access database for the client hostname,
  parent domains, client IP address, or networks obtained by stripping
  least significant octets. See the access(5) manual page for details.
 
  This means that not import the table type, each check_client_access
  entry in restriction, will generate some lookups.

 This means that not matter the table type.

 Yes, it will generate *some* lookups, but it doesn't say exactly
 *which* lookups. That was precisely my question.


- client hostname (reverse dns hostname)
- client IP address.

if smtpd_access_maps in parent_domain_matches_subdomains.
- compare client hostname without the first part at left by dot
- compare client hostname without the first and the second part at
left by dot (and recursively at the TDL)

-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

While not fully understand a software, don't try to adapt this
software to the way you work, but rather yourself to the way the
software works (myself)

Re: serious bug with check_client_access

2010-11-04 Thread mouss


Le 05/11/2010 00:04, Vincent Lefevre a écrit :

On 2010-11-04 17:18:17 +0100, mouss wrote:

otherwise, you can do whatever you want with pcre:
/\.example\.com$/OK
or with sql or ldap.

For pcre, the man page is not clear. It says:

   Each  pattern  is  a  regular  expression that is applied to the entire
   string being looked up. Depending on the application, that string is an
   entire  client hostname, an entire client IP address, or an entire mail
   address.

But where is it described whether the string is an entire client
hostname, an entire client IP address, or an entire mail address?

According to your example, the string is an entire client hostname.
But then, this means that one cannot match IP addresses.



You need to read BOTH the doc of the map type AND the doc of what it is 
used for (access in this case).


in short, for each map, you have multiple parameters:
- the map type
- the search context (check_client_access, check_sender_acces, ... 
transport, virtual_alias_maps, ... etc)

- the list of search keys

for each combination, a search list is derived: for each key, sub-keys 
are derived (whether this occurs and how depends on the map type  
context).

and it is this search list that you need to grasp. so here is an example.


for check_client_access, the search keys are: the hostname and the IP 
(in that order).

the sub-keys depend on the map type, so let's look at a few.
we assume the hostname is lab1.lab2.lab3.example.com and the IP is 1.2.3.4

[hash/cdb/...]

- if parent_domain_matches_subdomains contains smtpd_access: here, the 
search list is
S = ( lab1.lab2.lab3.example.com, lab2.lab3.example.com, 
lab3.example.com ..., com, 1.2.3.4, 1.2.3, 1.2, 1 )
so postfix will search for each element of this set and stops as soon as 
a match is found.


-  if parent_domain_matches_subdomains does not contains smtpd_access, 
then the search list becomes
S = ( lab1.lab2.lab3.example.com, .lab2.lab3.example.com, 
.lab3.example.com ..., .com, 1.2.3.4, 1.2.3, 1.2, 1 )

note the leading dot before lab2, lab3, ...


[pcre/regexp]
with such maps, no subkeys are used. this means the search list is
S = { lab1.lab2.lab3.example.com, 1.2.3.4 }

[cidr]
with cidr, only the IP is meaningful, so the set becomes
S = { 1.2.3.4}


now if we were using check_helo_access, then it's as above except that 
there is no IP.
and if we were about check_sender_access, then we only have one key (the 
email address) but may have many sub-keys.

serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

Hi,

It seems that I've found a serious bug in check_client_access
(or something is missing in the documentation).

A message was blocked with the following in the log:

Nov  3 21:16:55 ioooi postfix/smtpd[15423]: NOQUEUE: reject: RCPT from 
mx003.twitter.com[128.121.146.152]: 554 5.7.1 Service unavailable; Client host 
[128.121.146.152] blocked using bl.spamcop.net; Blocked - see 
http://www.spamcop.net/bl.shtml?128.121.146.152; 
from=twitter-follow-xx=xx@postmaster.twitter.com 
to=xxx...@xx.xxx proto=ESMTP helo=mx003.twitter.com

In my /etc/postfix/main.cf file, I have:

smtpd_client_restrictions =
  permit_mynetworks,
  check_client_access hash:/etc/postfix/rbl_override,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client sbl.spamhaus.org

and /etc/postfix/rbl_override contains in particular:

.twitter.com OK

/etc/postfix/rbl_override.db had been rebuilt with
postmap /etc/postfix/rbl_override.

As .twitter.com matches subdomains, it should have matched
mx003.twitter.com, and due to the .twitter.com OK, the RBL's
shouldn't have been checked.

The machine is an Ubuntu 9.04 (jaunty), with the postfix 2.5.5-1.1
package. The machine has been rebooted since the latest config
changes.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread Wietse Venema

Vincent Lefevre:
 As .twitter.com matches subdomains, it should have matched

What documentation supports this?

Re: serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
 Vincent Lefevre:
  As .twitter.com matches subdomains, it should have matched
 
 What documentation supports this?

The access(5) man page says:

 domain.tld
  Matches domain.tld.

  The  pattern  domain.tld also matches subdomains, but only
  when the string smtpd_access_maps is listed in the Postfix
  parent_domain_matches_subdomains   configuration  setting.
  Otherwise, specify .domain.tld (note the initial  dot)  in
  order to match subdomains.

See the last sentence.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread /dev/rob0

On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
 On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
  Vincent Lefevre:
   As .twitter.com matches subdomains, it should have matched
  
  What documentation supports this?
 
 The access(5) man page says:
 
  domain.tld
   Matches domain.tld.
 
   The  pattern  domain.tld also matches subdomains, but only
   when the string smtpd_access_maps is listed in the Postfix
   parent_domain_matches_subdomains   configuration  setting.
   Otherwise, specify .domain.tld (note the initial  dot)  in
   order to match subdomains.
 
 See the last sentence.

See the one before that. :) What is your setting of
parent_domain_matches_subdomains?

Repeat after me: Oops, sorry Wietse. :)
-- 
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header

Re: serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
 On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
  On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
   Vincent Lefevre:
As .twitter.com matches subdomains, it should have matched
   
   What documentation supports this?
  
  The access(5) man page says:
  
   domain.tld
Matches domain.tld.
  
The  pattern  domain.tld also matches subdomains, but only
when the string smtpd_access_maps is listed in the Postfix
parent_domain_matches_subdomains   configuration  setting.
Otherwise, specify .domain.tld (note the initial  dot)  in
order to match subdomains.
  
  See the last sentence.
 
 See the one before that. :) What is your setting of
 parent_domain_matches_subdomains?

You should read my message again. The setting of
parent_domain_matches_subdomains matters only for domain.tld.
But my config file has the form .domain.tld.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread Noel Jones


On 11/3/2010 9:36 PM, Vincent Lefevre wrote:

On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:

On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:

On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:

Vincent Lefevre:

As .twitter.com matches subdomains, it should have matched


What documentation supports this?


The access(5) man page says:

  domain.tld
   Matches domain.tld.

   The  pattern  domain.tld also matches subdomains, but only
   when the string smtpd_access_maps is listed in the Postfix
   parent_domain_matches_subdomains   configuration  setting.
   Otherwise, specify .domain.tld (note the initial  dot)  in
   order to match subdomains.

See the last sentence.


See the one before that. :) What is your setting of
parent_domain_matches_subdomains?


You should read my message again. The setting of
parent_domain_matches_subdomains matters only for domain.tld.
But my config file has the form .domain.tld.



Your interpretation is incorrect.

.domain.tld only works if parent_domain_matches_subdomains 
does NOT include smtpd_access maps.

Re: serious bug with check_client_access

2010-11-03 Thread /dev/rob0

On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote:
 On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
  On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
   On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
 As .twitter.com matches subdomains, it should have matched

What documentation supports this?
   
   The access(5) man page says:
   
domain.tld
 Matches domain.tld.
   
 The  pattern  domain.tld also matches subdomains, but only

The pattern domain.tld also matches subdomains ...

You don't have that in your map.

 when the string smtpd_access_maps is listed in the Postfix
 parent_domain_matches_subdomains   configuration  setting.

You failed to provide postconf -n in the OP, and again failed to 
answer my question about it.

 Otherwise, specify .domain.tld (note the initial  dot)  in
^
 order to match subdomains.

You're not in the otherwise category, I bet.

   
   See the last sentence.
  
  See the one before that. :) What is your setting of
  parent_domain_matches_subdomains?
 
 You should read my message again. The setting of
 parent_domain_matches_subdomains matters only for domain.tld.
 But my config file has the form .domain.tld.

http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
-- 
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header

Re: serious bug with check_client_access

2010-11-03 Thread Sahil Tandon

On Thu, 2010-11-04 at 03:36:30 +0100, Vincent Lefevre wrote:

 On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
  On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
   On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
 As .twitter.com matches subdomains, it should have matched

What documentation supports this?
   
   The access(5) man page says:
   
domain.tld Matches domain.tld.
   
 The  pattern  domain.tld also matches subdomains, but
 only when the string smtpd_access_maps is listed in the
 Postfix parent_domain_matches_subdomains   configuration
 setting.  Otherwise, specify .domain.tld (note the
 initial  dot)  in order to match subdomains.
   
   See the last sentence.
  
  See the one before that. :) What is your setting of
  parent_domain_matches_subdomains?
 
 You should read my message again. The setting of
 parent_domain_matches_subdomains matters only for domain.tld.  But my
 config file has the form .domain.tld.

No, *you* should re-read the documentation.

-- 
Sahil Tandon sa...@freebsd.org

Re: serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

On 2010-11-03 21:44:00 -0500, /dev/rob0 wrote:
 On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote:
  On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
   On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
 Vincent Lefevre:
  As .twitter.com matches subdomains, it should have matched
 
 What documentation supports this?

The access(5) man page says:

 domain.tld
  Matches domain.tld.

  The  pattern  domain.tld also matches subdomains, but only
 
 The pattern domain.tld also matches subdomains ...
 
 You don't have that in your map.
 
  when the string smtpd_access_maps is listed in the Postfix
  parent_domain_matches_subdomains   configuration  setting.
 
 You failed to provide postconf -n in the OP, and again failed to 
 answer my question about it.
 
  Otherwise, specify .domain.tld (note the initial  dot)  in
 ^
  order to match subdomains.
 
 You're not in the otherwise category, I bet.

So what? There's some logic error. Otherwise is a replacement for
if smtpd_access_maps is not listed in parent_domain_matches_subdomains
but nowhere it is said that domain.tld is not supported if this
pattern starts with a dot.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
 .domain.tld only works if parent_domain_matches_subdomains does NOT
 include smtpd_access maps.

The man page says nothing like that. So, the documentation should be
fixed.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread Noel Jones


On 11/3/2010 10:00 PM, Vincent Lefevre wrote:

On 2010-11-03 21:40:54 -0500, Noel Jones wrote:

.domain.tld only works if parent_domain_matches_subdomains does NOT
include smtpd_access maps.


The man page says nothing like that. So, the documentation should be
fixed.



The vast majority of readers seem to interpret that section as 
intended.  You're welcome to post a documentation patch in a 
new thread, but I don't think the behavior or its 
documentation has changed in ~10 years, so don't hold your breath.


And next time behavior doesn't match your expectations, you 
might get more sympathy if your message starts with please 
clarify this for me rather than serious bug.




  -- Noel Jones

Re: serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

On 2010-11-03 22:16:48 -0500, Noel Jones wrote:
 On 11/3/2010 10:00 PM, Vincent Lefevre wrote:
 On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
 .domain.tld only works if parent_domain_matches_subdomains does NOT
 include smtpd_access maps.
 
 The man page says nothing like that. So, the documentation should be
 fixed.
 
 The vast majority of readers seem to interpret that section as intended.

I'd say that the vast majority of readers probably haven't tried
.domain.tld (with an initial dot) or haven't even read the
documentation, so that they didn't have to interpret the sentence
on this point. And many people interpret If A then B as also
meaning that If not A then not B (against mathematical logic),
and this doesn't mean that they are correct.

Also, perhaps other users use this form and don't know that it doesn't
work, because AFAIK, one doesn't get any feedback (I haven't seen any
warning) until the sender says that some mail has been rejected by
some later rule.

 You're welcome to post a documentation patch in a new thread, but I don't
 think the behavior or its documentation has changed in ~10 years, so don't
 hold your breath.

Something difficult for users who don't know postfix internals.
What happens if the .domain.tld form is used? Is it simply ignored?
Or does anything else occur?

 And next time behavior doesn't match your expectations, you might get more
 sympathy if your message starts with please clarify this for me rather
 than serious bug.

Actually if a documentation is incorrect/incomplete, it is a bug in
the documentation. And FYI, the consequence was a lost mail. So, this
is quite serious.

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread Noel Jones


On 11/3/2010 10:50 PM, Vincent Lefevre wrote:

Actually if a documentation is incorrect/incomplete, it is a bug in
the documentation. And FYI, the consequence was a lost mail. So, this
is quite serious.



I'm so sorry you lost your twitter post.  The access map 
format you're looking for is

twitter.com  OK

Re: serious bug with check_client_access

2010-11-03 Thread Vincent Lefevre

On 2010-11-03 22:55:59 -0500, Noel Jones wrote:
 I'm so sorry you lost your twitter post.

Actually I might have lost other mail (though this is a bit unlikely)
since I was generally using an initial dot.

 The access map format you're looking for is
 twitter.com  OK

Thanks for the information. I've corrected the whole access file.

BTW, so, there is no way to match only subdomains (by that, I mean
all possible subdomains, but not the domain itself) without changing
parent_domain_matches_subdomains?

I don't currently need such a feature, but I'm asking just in case...

-- 
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Re: serious bug with check_client_access

2010-11-03 Thread Noel Jones


On 11/3/2010 11:07 PM, Vincent Lefevre wrote:

BTW, so, there is no way to match only subdomains (by that, I mean
all possible subdomains, but not the domain itself) without changing
parent_domain_matches_subdomains?


That's correct with indexed tables.  With regexp or pcre 
tables there is no automatic subdomain search; you control the 
scope of the search with your expression.


To answer your other question, when 
parent_domain_matches_subdomains includes smtpd_access_maps 
(the default), the form .domain.tld is never searched for. 
As a result, the entry is silently ignored.


  -- Noel Jones

44 matches

Mail list logo