On Tue, 2015-03-17 at 14:21 -0700, Gordon Messmer wrote:
> You'll also need to upgrade to courier-pythonfilter 1.9, which I just
> uploaded. It fixes IPv6 lookups in the smtpaccess file, and also adds a
> rate-limit-by-network option.
Gordon, there's a bug in your network-aware logic in ratelimit.py in
courier-pythonfilter 1.9.
sender = sender[:sender.rindex('.')]
... will simply chop off the last octet of the v4 IP address from the
return from courier.control.getSendersMta(controlFileList). The rest of
the string - the reverse res. of the full IP - prior to the IP address,
is retained, and this varies across individual IP addresses within
the /24 address group, so no match will succeed except for discrete
single addresses.
The comparison must be made on the portion of this string which is
invariant across the /24 group. If you don't like reg expressions,
sender = sender[sender.rindex("["):sender.rindex('.')]
will accomplish this.
I don't know about the logic for v6 addresses, but I suspect that the
sender string for these addresses may require a similar treatment.
I would also suggest that retaining the full original string returned
from getSendersMta() and returning this from the module is a good idea
for a couple of reasons. First, it's useful for mail administrative
work to log the full IP and its reverse resolution which is included in
the original string. Logging in general shouldn't reflect modifications
to data which are made internally in code to make it work right for the
code. Second, simply returning the first three octets of the IP address
effectively says to spammers, "hey, we're rate limiting on your
entire /24 network". I'm sure they'll figure this out soon enough
anyway and develop workarounds, but there's no sense in advertising it.
To this end, the string that's computed to contain a unique identifier
for the /24 network, and stored as the 2nd level key in the _senders
dict must have a unique variable identifier other than that to which the
original return from getSendersMta is assigned.
Thanks for giving attention to the network ratelimit issue.
--
Lindsay Haisley | "UNIX is user-friendly, it just
FMP Computer Services | chooses its friends."
512-259-1190 | -- Andreas Bogk
http://www.fmp.com |
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
