Re: how to debug a restriction class not matching?

Tue, 12 May 2009 15:18:29 -0700 

Len Conrad a écrit :
>>>> The above is caught by:
>>>>
>>>> /[0-9]{1,3}(\.|\-)[0-9]{1,3}(\.|\-)[0-9]{1,3}(\.|\-)[0-9]{1,3}.*\[/ 
>>>> client_filter.class
>>> remove the \[ part.
>>> and BTW, here is a shorter version:
>>> /(\d{1,3}[-\.]){3}\d{1,3}/      class_client_filter
>>>
>>>
>>>> ... but is not going to the restriction class as actual SMTP client.
>> After looking at my and mouss' advice, I realize the expressions we 
>> suggested will match _all_ clients since it matchs an IP address.
> 
> I've wanted to match patterns in the PTR domain name, that's why I anchored 
> the expr with \[, to make sure I didn't match the domain.name[ip.ad.re.ss]
> 
>> Probably not what you intend.
> 
> of course not
> 
>> Here's what I use to match IP-containing hostnames, should work for you.
>> /(\d{1,3}[-\.]){3}\d{1,3}[^.]+\.[^.]/  class_client_filter
>> ie. there must be a dot somewhere after the IP-containing section.
> 
> OK, same idea as mine, but I say "there must be a [ after the PTR domain 
> name", 

You're inventing your own syntax. there's no '[' in the PTR. the
"joe.example.com[192.0.2.1]" is only used in logs. but the PTR is
"joe.example.com" and the IP is "192.0.2.1".



> because without the post-PTR-domain-name anchor, it was matching/shunting all 
> connections into the (suspect) client_filter.class instead of staying in the 
> non_suspect (main) branch.
> 
> I'm really struggling with this because without your domain.name\. or my \[, 
> not all domain.name[a.b.c.d] get matched into the client_filter.class. iow, 
> with the trailing anchor, 
> 
> So what string does the restriction class matching look at?
> 

postfix will lookup the PTR (joe.example.com), and if not found, it will
lookup the IP (192.0.2.1). and for each of these, there is a lookup
order (for partial matches. but with pcre, only full match is done).

> 1. label.domain.tld[ip.ad.re.ss]
> 
> 2. label.domain.tld ip.ad.re.ss
> 
> 3. label.domain.tld 
> 
> 4. ip.ad.re.ss
> 
> btw, the policy service passes the client_name and client_address as two 
> separate values.

it's because they are really "separate".

Reply via email to