> Tom Collins wrote: > >> On Dec 23, 2006, at 6:41 PM, Rick Widmer wrote: >> <snip - I'll address the ALTER statement separately>
>>> - Don't update the relay CDB for statically covered addresses. >>> (extended version.) >> >> >> Do we have to worry about a race condition where I do my POP pickup and >> the relay CDB isn't updated with the new timestamp (since I'm in there >> from an earlier pickup) but the entry expires before my SMTP starts? I >> don't think I've ever used the pop-before-smtp feature, so I'm not sure >> on the details of how it works... > > No. Update_rules builds the final cdb file by concatenating the static > addresses in the file specified by TCP_FILE and the dynamic addresses > either from a database or file. This patch only makes excludes the > static addresses. If you are already allowed in by a static entry, > don't bother to manage your dynamic entry... > That is correct - this patch actually helps eliminate race conditions by reducing the frequency of CDB update. Because an address that is covered by a static rule will never be overridden by a dynamic one (since tcpserver is supposed to use the first rule it finds), this won't impact the security of the CDB. If it's denied, you'd never connect in the first place, and if it's allowed it's already allowed and the dynamic rule should never get matched. The reason I say "should" instead of "will" is that that's what the documentation states. I just tested and that's not what actually happens - it takes the best match. So there is one potential problem with this (though I consider it minimal) - if you have a rule that doesn't include the 'RELAYCLINET=""' and/or 'RBLSMTPD=""', you may end up getting denied if you're depending on pop-before-smtp. However, IMHO SMTP-AUTH should be used instead as it's both more reliable and more secure, but not everyone pushes that. So there may be unintended consequences with this patch... I'm not sure how to best address it, but I see 3 choices: 1) exclude the patch from the main tree but publish it as an add-on (not great); 2) include the patch and document the changes in how the CDB is built and works (better, but may cause breakage for some people); or 3) put the code inside an #ifdef and make it a configure option (I'd enable it by default, but it could go either way). I know nothing about configure, so I'm not sure how to do it, but I'd guess it's pretty simple to change... Anyway, those are my thoughts on how it works and the potential consequences of the patch... Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
