On Tue, 2008-03-04 at 16:19 -0600, Dan D Niles wrote:
> I have "%-out-%.google.com" in my whitelist_dnsname table to whitelist
> gmail. I periodically get complaints that a gmail user was blacklisted.
It wasn't easy, but I tracked the bug down. It is MUCH more serious
than I originally thought. You can skip down to the SOLUTION if you
are not interested in the details of the problem.
When policyd times out a mysql query, the query continues to run. Then
another query is issued, but when you retrieve the results, you are
actually getting the results from the timed out query. And this off by
one error propagates until it somehow corrects itself (still don't know
how it gets corrected). This behavior may be specific to MySQL >= 5.0.
MySQL 5.0 added handling for multiple results to queries.
I logged this sequence of events:
- A query to the triplet table timed out.
- The next query issued was a whitelist check. The query returned true,
but the site was NOT whitelisted. This was potentially a spam let
through.
- The next query was a whitelist check for a gmail server. It returned
false which was the result of the previous query.
- The next query was a whitelist_dnsname check for the same gmail
server. This query should return true, but it returned the result of
the previous query, which was false. This is how gmail wasn't getting
whitelisted when it should have been.
- The next query was a blacklist check. The gmail server is not
blacklisted, but the query returned true, which is the result of the
previous whitelist_dnsname check.
Once I knew what to look for, I saw this happening after every timeout.
There were other servers besides gmail that were being blacklisted when
they should have been whitelisted, and email being whitelisted that
should have been greylisted.
SOLUTION
---------
The only solution I found was to close and re-open the mysql connection
when policyd times out the query. Attached is a very simple patch for
version 1.82 that fixes the problem. I've tested it in production for
17 hours and it is working great. (Our policyd handles about 4 million
emails per day.)
--- mysql.c.orig 2008-03-07 10:39:34.000000000 -0600
+++ mysql.c 2008-03-07 10:41:38.000000000 -0600
@@ -70,6 +70,10 @@
/* unset the signal handler */
signal (SIGALRM, SIG_DFL);
+ /* Need to close and reconnect to the database */
+ mysql_close(mysql);
+ mysql = db_connect(MYSQLDBASE);
+
mysql_array[fd][0] = -1;
return (-1); /* failure */
}
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users
