On Tue, 2015-03-17 at 14:21 -0700, Gordon Messmer wrote: > You'll also need to upgrade to courier-pythonfilter 1.9, which I just > uploaded. It fixes IPv6 lookups in the smtpaccess file, and also adds a > rate-limit-by-network option.
Gordon, there's a bug in your network-aware logic in ratelimit.py in courier-pythonfilter 1.9. sender = sender[:sender.rindex('.')] ... will simply chop off the last octet of the v4 IP address from the return from courier.control.getSendersMta(controlFileList). The rest of the string - the reverse res. of the full IP - prior to the IP address, is retained, and this varies across individual IP addresses within the /24 address group, so no match will succeed except for discrete single addresses. The comparison must be made on the portion of this string which is invariant across the /24 group. If you don't like reg expressions, sender = sender[sender.rindex("["):sender.rindex('.')] will accomplish this. I don't know about the logic for v6 addresses, but I suspect that the sender string for these addresses may require a similar treatment. I would also suggest that retaining the full original string returned from getSendersMta() and returning this from the module is a good idea for a couple of reasons. First, it's useful for mail administrative work to log the full IP and its reverse resolution which is included in the original string. Logging in general shouldn't reflect modifications to data which are made internally in code to make it work right for the code. Second, simply returning the first three octets of the IP address effectively says to spammers, "hey, we're rate limiting on your entire /24 network". I'm sure they'll figure this out soon enough anyway and develop workarounds, but there's no sense in advertising it. To this end, the string that's computed to contain a unique identifier for the /24 network, and stored as the 2nd level key in the _senders dict must have a unique variable identifier other than that to which the original return from getSendersMta is assigned. Thanks for giving attention to the network ratelimit issue. -- Lindsay Haisley | "UNIX is user-friendly, it just FMP Computer Services | chooses its friends." 512-259-1190 | -- Andreas Bogk http://www.fmp.com | ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users