Re: serious bug with check_client_access

Le 05/11/2010 09:48, Vincent Lefevre a écrit : On 2010-11-04 23:36:04 -0300, Reinaldo de Carvalho wrote: On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre wrote: Yes, it will generate *some* lookups, but it doesn't say exactly *which* lookups. That was precisely my question. - client hostname

Re: serious bug with check_client_access

Le 05/11/2010 10:03, Vincent Lefevre a écrit : [hash/cdb/...] - if parent_domain_matches_subdomains contains smtpd_access: here, the search list is S = ( lab1.lab2.lab3.example.com, lab2.lab3.example.com, lab3.example.com ..., com, 1.2.3.4, 1.2.3, 1.2, 1 ) so postfix will search for each

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/5/2010 4:03 AM: > Testing the tld alone seems to be excluded by the access(5) man page, > which only documents "domain.tld", i.e. the pattern must contain > at least one dot. Is it an error in the man page (which could say > "domain" instead, like in Section "Email

Re: serious bug with check_client_access

On 2010-11-05 06:21:20 +0100, mouss wrote: > in short, for each map, you have multiple parameters: > - the map type > - the search context (check_client_access, check_sender_acces, ... > transport, virtual_alias_maps, ... etc) > - the list of search keys [...] Thanks a lot for this very detailed a

Re: serious bug with check_client_access

On 2010-11-04 23:36:04 -0300, Reinaldo de Carvalho wrote: > On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre wrote: > > Yes, it will generate *some* lookups, but it doesn't say exactly > > *which* lookups. That was precisely my question. > > - client hostname (reverse dns hostname) > - client IP

Re: serious bug with check_client_access

Le 05/11/2010 00:04, Vincent Lefevre a écrit : On 2010-11-04 17:18:17 +0100, mouss wrote: otherwise, you can do whatever you want with pcre: /\.example\.com$/OK or with sql or ldap. For pcre, the man page is not clear. It says: Each pattern is a regular expression that is appli

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/4/2010 7:57 PM: > This is not what the documentation says: > > Depending on the application, that string is an entire client > hostname, an entire client IP address, or an entire mail address. _Application_ in this sentence refers to things like smtpd_foo_rest

Re: serious bug with check_client_access

On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre wrote: > On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote: >> On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho >> wrote: >> > >> > check_client_access type:table >> >    Search the specified access database for the client hostname, >>

Re: serious bug with check_client_access

On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote: > On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho > wrote: > > > > check_client_access type:table > >    Search the specified access database for the client hostname, > > parent domains, client IP address, or networks obtained by stri

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/4/2010 7:49 PM: > On 2010-11-04 20:33:11 -0400, Wietse Venema wrote: >> check_client_access searches the address and domain with ALL lookup >> table types. It just doesn't do the substring lookups with PCRE, >> REGEXP and CIDR. > > If I understand correctly, there's

Re: serious bug with check_client_access

On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho wrote: > > check_client_access type:table >    Search the specified access database for the client hostname, > parent domains, client IP address, or networks obtained by stripping > least significant octets. See the access(5) manual page for de

Re: serious bug with check_client_access

On 2010-11-05 02:29:53 +0100, Jeroen Geilman wrote: > If you combine > > Each pattern is a regular expression that is applied to the entire string > being looked up. > > > with > * > check_client_access /type:table > /* >Search the specified a

Re: serious bug with check_client_access

On Thu, Nov 4, 2010 at 8:04 PM, Vincent Lefevre wrote: > On 2010-11-04 17:18:17 +0100, mouss wrote: >> otherwise, you can do whatever you want with pcre: >> /\.example\.com$/        OK >> or with sql or ldap. > > For pcre, the man page is not clear. It says: > check_client_access type:table S

Re: serious bug with check_client_access

On 11/05/2010 01:57 AM, Vincent Lefevre wrote: On 2010-11-05 01:38:37 +0100, Jeroen Geilman wrote: *REGULAR EXPRESSION TABLES* This section describes how the table lookups change when the table is given in the form of regular expressions. For a description of regula

Re: serious bug with check_client_access

On 2010-11-05 01:38:37 +0100, Jeroen Geilman wrote: > *REGULAR EXPRESSION TABLES* >This section describes how the table lookups change when >the table is given in the form of regular expressions. For >a description of regular expression lookup table syntax, >see*

Re: serious bug with check_client_access

On 2010-11-04 20:33:11 -0400, Wietse Venema wrote: > check_client_access searches the address and domain with ALL lookup > table types. It just doesn't do the substring lookups with PCRE, > REGEXP and CIDR. If I understand correctly, there's another difference: in the default table format, the str

Re: serious bug with check_client_access

On 11/05/2010 01:26 AM, Vincent Lefevre wrote: On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote: check_client_access pcre:/etc/postfix/filter.pcre check_sender_access pcre:/etc/postfix/filter.pcre check_recipient_access pcre:/etc/postfix/filter.pcre As you can see, this is defined

Re: serious bug with check_client_access

Vincent Lefevre: > On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote: > > check_client_access pcre:/etc/postfix/filter.pcre > > check_sender_access pcre:/etc/postfix/filter.pcre > > check_recipient_access pcre:/etc/postfix/filter.pcre > > > > As you can see, this is defined by the smtpd_foo_r

Re: serious bug with check_client_access

On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote: > check_client_access pcre:/etc/postfix/filter.pcre > check_sender_access pcre:/etc/postfix/filter.pcre > check_recipient_accesspcre:/etc/postfix/filter.pcre > > As you can see, this is defined by the smtpd_foo_restriction you target >

Re: serious bug with check_client_access

Vincent Lefevre put forth on 11/4/2010 6:04 PM: > On 2010-11-04 17:18:17 +0100, mouss wrote: >> otherwise, you can do whatever you want with pcre: >> /\.example\.com$/OK >> or with sql or ldap. > > For pcre, the man page is not clear. It says: > > Each pattern is a regular expressi

Re: serious bug with check_client_access

On 2010-11-04 17:18:17 +0100, mouss wrote: > otherwise, you can do whatever you want with pcre: > /\.example\.com$/OK > or with sql or ldap. For pcre, the man page is not clear. It says: Each pattern is a regular expression that is applied to the entire string being looked up. De

Re: serious bug with check_client_access

Le 04/11/2010 05:07, Vincent Lefevre a écrit : On 2010-11-03 22:55:59 -0500, Noel Jones wrote: I'm so sorry you lost your twitter post. Actually I might have lost other mail (though this is a bit unlikely) since I was generally using an initial dot. a good idea is to include both dotted and u

Re: serious bug with check_client_access

On 2010-11-04 10:44:34 +0100, lst_ho...@kwsoft.de wrote: > >>The access(5) man page says: > >> > >> domain.tld > >> Matches domain.tld. > >> > >> The pattern domain.tld also matches subdomains, but only > >> when the string smtpd_access_maps is listed in the Pos

Re: serious bug with check_client_access

В Чтв, 04/11/2010 в 10:44 +0100, lst_ho...@kwsoft.de пишет: > Zitat von Покотиленко Костик : > > > В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет: > >> On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > >> > On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > >> >> ".domain.tld" only works if parent

Re: serious bug with check_client_access

Zitat von Покотиленко Костик : В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет: On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > On 2010-11-03 21:40:54 -0500, Noel Jones wrote: >> ".domain.tld" only works if parent_domain_matches_subdomains does NOT >> include smtpd_access maps. > > The man pa

Re: serious bug with check_client_access

Le 04/11/2010 05:24, Noel Jones a écrit : On 11/3/2010 11:07 PM, Vincent Lefevre wrote: BTW, so, there is no way to match only subdomains (by that, I mean all possible subdomains, but not the domain itself) without changing parent_domain_matches_subdomains? That's correct with indexed tables.

Re: serious bug with check_client_access

В Срд, 03/11/2010 в 22:16 -0500, Noel Jones пишет: > On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > > On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > >> ".domain.tld" only works if parent_domain_matches_subdomains does NOT > >> include smtpd_access maps. > > > > The man page says nothing like th

Re: serious bug with check_client_access

On 11/3/2010 11:07 PM, Vincent Lefevre wrote: BTW, so, there is no way to match only subdomains (by that, I mean all possible subdomains, but not the domain itself) without changing parent_domain_matches_subdomains? That's correct with indexed tables. With regexp or pcre tables there is no au

Re: serious bug with check_client_access

On 2010-11-03 22:55:59 -0500, Noel Jones wrote: > I'm so sorry you lost your twitter post. Actually I might have lost other mail (though this is a bit unlikely) since I was generally using an initial dot. > The access map format you're looking for is > twitter.com OK Thanks for the information.

Re: serious bug with check_client_access

On 11/3/2010 10:50 PM, Vincent Lefevre wrote: Actually if a documentation is incorrect/incomplete, it is a bug in the documentation. And FYI, the consequence was a lost mail. So, this is quite serious. I'm so sorry you lost your twitter post. The access map format you're looking for is twit

Re: serious bug with check_client_access

On 2010-11-03 22:16:48 -0500, Noel Jones wrote: > On 11/3/2010 10:00 PM, Vincent Lefevre wrote: > >On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > >>".domain.tld" only works if parent_domain_matches_subdomains does NOT > >>include smtpd_access maps. > > > >The man page says nothing like that. So,

Re: serious bug with check_client_access

On 11/3/2010 10:00 PM, Vincent Lefevre wrote: On 2010-11-03 21:40:54 -0500, Noel Jones wrote: ".domain.tld" only works if parent_domain_matches_subdomains does NOT include smtpd_access maps. The man page says nothing like that. So, the documentation should be fixed. The vast majority of rea

Re: serious bug with check_client_access

On 2010-11-03 21:40:54 -0500, Noel Jones wrote: > ".domain.tld" only works if parent_domain_matches_subdomains does NOT > include smtpd_access maps. The man page says nothing like that. So, the documentation should be fixed. -- Vincent Lefèvre - Web: 100% accessible val

Re: serious bug with check_client_access

On 2010-11-03 21:44:00 -0500, /dev/rob0 wrote: > On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote: > > On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > > > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > >

Re: serious bug with check_client_access

On Thu, 2010-11-04 at 03:36:30 +0100, Vincent Lefevre wrote: > On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > > > Vincent Lefevre: > > > > > As .twitter.com matches sub

Re: serious bug with check_client_access

On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote: > On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > > > Vincent Lefevre: > > > > > As .twitter.com matches

Re: serious bug with check_client_access

On 11/3/2010 9:36 PM, Vincent Lefevre wrote: On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: Vincent Lefevre: As .twitter.com matches subdomains, it should have matched What do

Re: serious bug with check_client_access

On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote: > On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > > Vincent Lefevre: > > > > As .twitter.com matches subdomains, it should have matched > > > > > > What documentation supports

Re: serious bug with check_client_access

On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote: > On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > > Vincent Lefevre: > > > As .twitter.com matches subdomains, it should have matched > > > > What documentation supports this? > > The access(5) man page says: > > domain.t

Re: serious bug with check_client_access

On 2010-11-03 22:00:21 -0400, Wietse Venema wrote: > Vincent Lefevre: > > As .twitter.com matches subdomains, it should have matched > > What documentation supports this? The access(5) man page says: domain.tld Matches domain.tld. The pattern domain.tld also matches s

Re: serious bug with check_client_access

Vincent Lefevre: > As .twitter.com matches subdomains, it should have matched What documentation supports this?