Stan Hoeppner a écrit :
> mouss put forth on 10/31/2009 11:06 AM:
>
> mouss, you rock.
>
>> you can use a script if you prefer. the advantage of 'make' is that it
>> only re-generates files when needed (source change).
>
> The only likely changes would be adding another country.
sometimes, you find a new IP that wasn't there, or an IP is assigned to
another country... rare, but may happen.
> In this case,
> would I just add the file name to the "source" section below, and run
> the make script?
>
yes, just add a
COUNTRIES += nowhereland
line and it should work.
>> [snip]
> Neat. I'm using gnu make so this should all work. Still don't
> understand how this would affect memory footprint, but at least it would
> clean up my main.cf a bit.
>
it is faster to search a single file, rather than doing 10 searches.
Think of an IP that is not listed in any of your country maps. with 10
files, you multiply the number of lookups by 10 compared to searching in
a single file.
of course latency isn't a problem in your setup. but beauty is enough
reason! see below.
>> PS. since you use a cidr specific directory, you can get rid of the
>> ".cidr" suffix. you could then use (in main.cf):
>>
>> cidr=cidr:/etc/postfix/cidr_files
>> smtpd_foo_restrictions =
>> ...
>> check_client_access ${cidr}/access_foo
>> ...
>> check_client_access ${cidr}/access_bar
>
> Ahh, also sweet. I'd seen folks using variables but I hadn't really
> found a need yet to dig into it. That and I was afraid of confusing
> myself down the road. ;) Just implemented this. Works fine, main.cf
> much cleaner looking,
yep. it avoids repetition and long lines.
maps_dir = /etc/postfix/maps
cdb = cdb:${maps_dir}/cdb
pcre = pcre:${maps_dir}/pcre
mysql = mysql:${maps_dir}/mysql
...
virtual_mailbox_maps =
${sql}/virtual_mailbox
virtual_alias_maps =
${sql}/virtual_alias
smtpd_foo_restrictions =
....
# per recipient access rules
check_recipient_access ${mysql}/access_recipient
check_recipient_access ${pcre}/access_recipient
...
# selectively reject mail from "generic rDNS" and invalid PTR:
check_helo_access ${sql}/access_host
check_helo_access ${pcre}/access_host
check_reverse_client_hostname_access ${sql}/access_host
check_reverse_client_hostname_access ${pcre}/access_host
...
PS. on the other hand, postconf -n doesn't show the custom variables.
but this shouldn't be a problem as long as you don't abuse variables.
>_and_ I'm now practicing "good form" with
> "check_client_access" in front of each CIDR map. ;)
>
yes. this will allow you to move/copy checks between different
restrictions. In particular, you can move checks to a restriction class
withouth having to wonder which restriction calls the class. (yes, I am
not very clear. but I hope you see what I mean ;-).
> Lots of good ancillary info coming out of this thread. Thanks guys.
> Still wondering about the map file memory overhead details...
>
> --
> Stan
