Re: serious bug with check_client_access

Thu, 04 Nov 2010 22:21:50 -0700 

Le 05/11/2010 00:04, Vincent Lefevre a écrit :

On 2010-11-04 17:18:17 +0100, mouss wrote:

otherwise, you can do whatever you want with pcre:
/\.example\.com$/        OK
or with sql or ldap.

For pcre, the man page is not clear. It says:

   Each  pattern  is  a  regular  expression that is applied to the entire
   string being looked up. Depending on the application, that string is an
   entire  client hostname, an entire client IP address, or an entire mail
   address.

But where is it described whether the string is an entire client
hostname, an entire client IP address, or an entire mail address?

According to your example, the string is an entire client hostname.
But then, this means that one cannot match IP addresses.
You need to read BOTH the doc of the map type AND the doc of what it is used for (access in this case). 

in short, for each map, you have multiple parameters:
- the map type
- the search context (check_client_access, check_sender_acces, ... transport, virtual_alias_maps, ... etc) 
- the list of search keys
for each combination, a "search list" is derived: for each key, sub-keys are derived (whether this occurs and how depends on the map type & context). 
and it is this search list that you need to grasp. so here is an example.
for check_client_access, the search keys are: the hostname and the IP (in that order). 
the sub-keys depend on the map type, so let's look at a few.
we assume the hostname is lab1.lab2.lab3.example.com and the IP is 1.2.3.4

[hash/cdb/...]
- if parent_domain_matches_subdomains contains smtpd_access: here, the search list is S = ( lab1.lab2.lab3.example.com, lab2.lab3.example.com, lab3.example.com ..., com, 1.2.3.4, 1.2.3, 1.2, 1 ) so postfix will search for each element of this set and stops as soon as a match is found.
- if parent_domain_matches_subdomains does not contains smtpd_access, then the search list becomes S = ( lab1.lab2.lab3.example.com, .lab2.lab3.example.com, .lab3.example.com ..., .com, 1.2.3.4, 1.2.3, 1.2, 1 ) 
note the leading dot before lab2, lab3, ...


[pcre/regexp]
with such maps, no subkeys are used. this means the search list is
    S = { lab1.lab2.lab3.example.com, 1.2.3.4 }

[cidr]
with cidr, only the IP is meaningful, so the set becomes
    S = { 1.2.3.4}
now if we were using check_helo_access, then it's as above except that there is no IP. and if we were about check_sender_access, then we only have one key (the email address) but may have many sub-keys.

Reply via email to