RE: Parent domains confusion?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: Parent domains confusion?

MacShane, Tracy
This is following on from an earlier thread, where I identifed a problem
with an access map apparently not working correctly (and not passing
through all mail from .gov.au hosts)

>
> On Fri, Mar 28, 2008 at 10:19:42AM +1100, MacShane, Tracy wrote:
>
> > I'm a bit stumped as to what's going on with one of my client access

> > maps. The objective is to have all ".gov.au" hosts from all
subdomains
> > exempt from the majority of our smtpd_*_restrictions checks.
> >  
> > Postfix version is 2.2.10
> > parent_domain_matches_subdomains = debug_peer_list,
> > fast_flush_domains, mynetworks, permit_mx_backup_networks,
> > qmqpd_authorized_clients, relay_domains, smtpd_access_maps
>

Viktor suggested I had a mismatch between a leading dot for the key and
the parent_domain_matches_subdomains parameter that included
smtpd_access_maps. This was actually due to a bad troubleshooting
attempt on my behalf.

The access map is as follows:
--- client_access ---
# All .gov.au addresses
gov.au                 OK
[...]
# rr.com - zombie machines
res.rr.com              REJECT Rejected due to zombie attacks
# more zombie spammers
neoplus.adsl.tpnet.pl   REJECT
internetdsl.tpnet.pl    REJECT
[...]
-------

Now, given the custom response message I have for rr.com hosts, it
appears that the access map is in fact working correctly.

May  2 17:05:03 smtp3 postfix/smtpd[14450]: NOQUEUE: reject: RCPT from
cpe-74-76-15-20.nycap.res.rr.com[24.90.217.53]: 554
<cpe-24-90-217-53.nyc.res.rr.com[24.90.217.53]>: Client host rejected:
Rejected due to zombie attacks; from=<[hidden email]>
to=<[hidden email]> proto=SMTP
helo=<cpe-24-90-217-53.nyc.res.rr.com>

However, if I try to query the access map using postmap -q, nothing is
returned:

[smtp3]# postmap -q "cpe-74-76-15-20.nycap.res.rr.com"
hash:/etc/postfix/client_access
[smtp3]#

This is driving me nuts, and evidently didn't help when I was trying to
troubleshoot the issue with the .gov.au hosts. Can anyone shed any light
on why postmap -q isn't returning the expected values? The server is
RHEL 4 ES, and it's the distribution's Postfix build. Running similar
queries on PCRE and CIDR maps works as expected (ie. values like REJECT
and OK are returned).

I'm certain that I didn't have any problems running the query on hashed
files in the past, but I can't pinpoint a date when it changed (the
hashed lookups don't change that often).

Thanks for any ideas on where to start looking, or bashings with the
cluebat.

Tracy
Reply | Threaded
Open this post in threaded view
|

Re: Parent domains confusion?

Wietse Venema
MacShane, Tracy:

> However, if I try to query the access map using postmap -q, nothing is
> returned:
>
> [smtp3]# postmap -q "cpe-74-76-15-20.nycap.res.rr.com"
> hash:/etc/postfix/client_access
> [smtp3]#
>
> This is driving me nuts, and evidently didn't help when I was trying to
> troubleshoot the issue with the .gov.au hosts. Can anyone shed any light
> on why postmap -q isn't returning the expected values? The server is
> RHEL 4 ES, and it's the distribution's Postfix build. Running similar
> queries on PCRE and CIDR maps works as expected (ie. values like REJECT
> and OK are returned).

The behavior of PCRE/CIDR maps is documented in the access table.

The postmap -q command does not generate subnet or parent domain queries.

If I find the time I may add postmap options to simulate subnet/parent
domain queries; I recently added command-line options to simulate
header_checks (multi-line) and body_checks queries, but I can't
implement everything before people need it.

In the end, the substring query magic needs to be implemented as
reusable functions, so that it can be reused in postmap, instead
of being duplicated there.

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: Parent domains confusion?

MacShane, Tracy
 

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Wietse Venema
> Sent: Friday, 2 May 2008 9:10 PM
> To: MacShane, Tracy
> Cc: [hidden email]
> Subject: Re: Parent domains confusion?
>
> MacShane, Tracy:
> > However, if I try to query the access map using postmap -q,
> nothing is
> > returned:
> >
> > [smtp3]# postmap -q "cpe-74-76-15-20.nycap.res.rr.com"
> > hash:/etc/postfix/client_access
> > [smtp3]#
> >
> > ...
> > Running similar queries on PCRE and CIDR maps works as expected (ie.

> > values like REJECT and OK are returned).
>
> The behavior of PCRE/CIDR maps is documented in the access table.
>
> The postmap -q command does not generate subnet or parent
> domain queries.
>
> If I find the time I may add postmap options to simulate
> subnet/parent domain queries; I recently added command-line
> options to simulate header_checks (multi-line) and
> body_checks queries, but I can't implement everything before
> people need it.
>
> In the end, the substring query magic needs to be implemented
> as reusable functions, so that it can be reused in postmap,
> instead of being duplicated there.
>
> Wietse
>

That's great; thanks for the explanation. If a method of simulating a
parent domains lookup becomes available, that would be fantastic, but at
least it's the expected behaviour at present.

Tracy