Re: Feedback on Postscreen Whitelist Article

Thu, 26 Nov 2015 09:00:59 -0800 

On 26 Nov 2015, at 11:12, Steve Jenkins wrote:
On Thu, Nov 26, 2015 at 4:49 AM, Robert Chalmers <rob...@chalmers.com.au> 
wrote:
So do I.

So I’ll hand cut the cidr file for now, and wait till the author 
updates

his code..


So, I've updated the code. :)


Instead of relying on multiple scripts to make multiple lists, I 
simplified

things and created a new project called Postwhite:

https://github.com/stevejenkins/postwhite


It now relies on a small script from the spf-tools pacakge (also on 
GitHub)

to handle the recursive SPF queries. Postwhite allows you to toggle

"yes/no" as to which mailers you want to include, then and creates a 
single

SPF-based whitelist for Postscreen that is numerically sorted and has
duplicates removed.

I'm still working on a way to validate the CIDRs before they make the

whitelist. It's pretty dumb for MSFT to publish invalid IPs, and it's 
even

dumber that they don't provide any way to notify them about it.

Every DNS SOA should have a RP field that is supposed to be an email 
address (s/@/./) for the Responsible Party who can fix problems in the 
zone. Surely a big responsible company like Microsoft wouldn't get that 
wrong... (or maybe they would)

If you can tolerate a dependency on a non-core Perl module, I find this 
function useful enough to have in .bashrc on systems where I fiddle with 
IP ranges & CIDR blocks:

        cidrcon ()
        {
            for a in $*;
            do
                echo $a;

	    done | perl -e "use Net::CIDR::Lite;  \$cidr = 
Net::CIDR::Lite->new(<>) ; \$_ = join (\"\n\",\$cidr->list) ; print 
\"\$_\n\";"

        }

So I can do things like:


	# cidrcon $( dig _spf-ssg-b.microsoft.com txt +short |tr ' ' '\n' | 
grep '^ip4:.*/[0-9]*$' | sed 's/ip4://' )

        65.55.33.64/28
        65.55.178.128/27
        65.55.238.128/26
        207.46.116.128/29
        207.46.132.128/27
        207.68.169.172/30
        207.68.176.0/26
        207.68.176.96/27
        213.199.161.128/27



(Being trivial, obvious, and more than slightly sloppy, that bit of 
shell+perl is entirely exempt from any intellectual property law. Any 2 
random monkeys stand a fair chance of writing it by pure chance, as one 
already has. Use as you please AT YOUR OWN RISK)






















					Reply via email to