Hi All,
I'd like to use MySQL table to block some of the peer MTAs based on their IP
addresses by storing IP pools ('from' and 'to' addresses as unsigned integers,
using MySQL's INET_ATON() function) in MySQL as blocked IP ranges.
However I found a little problem in my solution:
As access table readme states too, postfix with check_client_access will try
with various information, including A, A.B, A.B.C and A.B.C.D for a given
A.B.C.D IPv4 address. However it causes my query to produce "false
blockings", as MySQL's INET_ATON() will happily convert an "IP address" like
192.168 to some numeric value which often triggers a totally different
banned IP pool (the peer's IP address is not even in that pool, and should
not be blocked - but I did).
Now I have this ugly solution to work-around the problem (it seems to work
now ...):
query = SELECT policy AS qres FROM banned_clients WHERE INET_ATON('%s')
BETWEEN ip_from AND ip_to AND
'%s' REGEXP '^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+$'
With the last REGEXP condition I want to be sure that the lookup-key is a
"normal" IP address and not some other.
Can I tell postfix somehow, that I am interested in only the client IP's
check in my SQL table rather than trying to look up with other methods as
well? It would also save some wasted SQL queries to be sent to the MySQL
server, as with lookups for A, A.B, A.B.C would never match with this query.
The relevant main.cf fragment:
smtpd_client_restrictions =
[...]
check_client_access mysql:/etc/postfix/banned_clients.sql,
[...]
I have something similar with sender/rcpt check too; the situation is not so
serious there: my query would do the checking by itself for the whole
address and domain, in once (with one query), so I don't
need postfix to try to look-up different information (which is redundant for
me this way), I only need a single lookup from postfix with the "full"
address (but according to the dox, it tries user@domain, domain.tld,
.domain.tld, and @user in sequence). Unlike the previous situation with the
client check it does not cause false blockings (at least I hope so) but
still it generates un-needed lookups I would never use anyway.
My try (for senders, the same for recipient):
query = SELECT policy AS qres FROM banned_senders WHERE sender
IN ('%s','%d')
Note: I am not even sure it works (I am busy with the client checks for
now), what postfix will do with specifying %s and %d in the same lookup.
Maybe is it a different issue by nature with lookups than the client check
problem of mine, above? If I am wrong with this one, please help me about
the client checks at least :) Thanks.
So in general: is it possible to inform postfix that I need only a the
look-up key as-is with check_client_access, check_sender_accesss and
check_recipient_access without trying to look-up only "part of the
information" of the look-up key?
Thanks in advance,
- Gábor
