Re: check_client_access
On Sat, 30 Apr 2022 01:11:05 -0400 Viktor Dukhovni wrote: > On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote: > > > > .domain.tld > > > > > > Matches subdomains of domain.tld, but only when the > > > string smtpd_access_maps is not listed in the Postfix > > > parent_domain_matches_subdomains configuration setting. > > > > The .domain.tld notation only covers a single level of > > subdomain, > > This is false. With non-regexp access(5) tables, each level of the > domain hierarchy is tried in turn, all the way up to the TLD. > > If "parent_domain_matches_subdomains" includes "smtpd_access_maps", > then the parent domain keys are "dotless", otherwise all parent > domain lookup keys start with a leading ".". > Thanks. I will just use the TLD. At the moment I can't test their login due to their system maintenance. I gave siriusxm "bottom of the rung tech support" the "You're the problem not me" lecture and said just get removed from any blocking list. At the moment the zen.spamhaus.org blocking is gone. MXTOOLBOX shows no blocking on the lists they check. They are suppose to call me with the solution in a few days. It is will interesting what story they give me. More interesting would be if they thank me for pointing out the problem.
Re: Inconsistency between postconf(5) and IPV6_README
Pau Amma: > On 2022-04-30 05:06, Viktor Dukhovni wrote: > > On Sat, Apr 30, 2022 at 12:49:30AM +, Pau Amma wrote: > > > >> I finally got around to this, or rather to the half that didn't have a > >> mention of NO_IPV6. While there, I noticed a stray uppercase letter > >> elsewhere (2x) and fixed that as well. Patch (generated from > >> postfix-3.8-20220421) attached. > > > > The source file for IPV6_README is: proto/IPV6_README.html > > > >> +++ postfix-tmp/README_FILES/IPV6_README 2022-04-30 02:35:27.514645000 > >> +0200 > > > > This is a derived file, and the patch should be against the "proto" > > file. > > > >> +++ postfix-tmp/proto/INSTALL.html 2022-04-30 02:40:25.455297000 +0200 > > > > THis is the only "INSTALL" file to edit. > > Revised patch per above. While in proto/IPV6_README.html, I tweaked the > link text in one spot for better screenreader accessibility per > https://webaim.org/techniques/hypertext/#alpha_links. (Other links there > or elsewhere in the documentation may need similar changes. Let me know > if you & WV want to do that yourselves.) Thank you. I'm not familiar with 'screen reader tweaks'. Is this for people with limited eye sight? I generally avoid many-word links except in case of links to a heading. Wietse
Re: check_client_access
On Sat, Apr 30, 2022 at 08:55:54PM +1000, raf wrote: > Ah yes, and access(5) says .domain.tld only matches > subdomains when smtpd_access_maps is not in > parent_domain_matches_subdomains, but it is there by > default, so ".domain.tld" wouldn't work at all. It > needs to be "domain.tld". I generally override "parent_domain_matches_subdomains" to be empty, and configure all "subtree" keys explicitly, at the cost of occasionally having to add both "foo.example" and ".foo.example" lookup keys. -- Viktor.
Re: check_client_access
On Sat, Apr 30, 2022 at 01:11:05AM -0400, Viktor Dukhovni wrote: > On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote: > > > > .domain.tld > > > > > > Matches subdomains of domain.tld, but only when the > > > string smtpd_access_maps is not listed in the Postfix > > > parent_domain_matches_subdomains configuration setting. > > > > The .domain.tld notation only covers a single level of > > subdomain, > > This is false. With non-regexp access(5) tables, each level of the > domain hierarchy is tried in turn, all the way up to the TLD. Thanks for the correction. Multiple lookups is much easier than what I thought was needed. That's not at all how I interpreted access(5). When describing lookup order, it mentions domain.tld matching subdomains (when smtpd_access_maps is in parent_domain_matches_subdomains), but I've always understood the term "subdomains" (in other contexts) to only refer to a single level. Multiple lookups is documented visually in the case of network addresses (in HOST NAME/ADDRESS PATTERNS), where it says: net.work.addr.ess net.work.addr net.work net net:work:addr:ess net:work:addr net:work net Perhaps the domain version could be expanded from: domain.tld to: sub.domain.tld domain.tld tld That would make it clear that there are multiple lookups happening on domain names at all levels. Although it would have to somehow be made clear that those multiple lookups don't apply to regexp-based access tables. It's tricky to express all that. Although the existing description in "REGULAR EXPRESSION TABLES" would probably cover it, as it says "Thus, no parent domain or parent network search is done...". Currently, I think that sentence is the only indication that there are multiple domain lookups in non-regexp access tables. That fact could be made more prominent. > If "parent_domain_matches_subdomains" includes "smtpd_access_maps", > then the parent domain keys are "dotless", otherwise all parent > domain lookup keys start with a leading ".". Ah yes, and access(5) says .domain.tld only matches subdomains when smtpd_access_maps is not in parent_domain_matches_subdomains, but it is there by default, so ".domain.tld" wouldn't work at all. It needs to be "domain.tld". So, the rbl_override file only needs: siriusxm.com OK or maybe: e.siriusxm.com OK If all the good mail to be accepted only comes from that subdomain. > -- > Viktor. cheers, raf
Re: Inconsistency between postconf(5) and IPV6_README
On 2022-04-30 05:06, Viktor Dukhovni wrote: On Sat, Apr 30, 2022 at 12:49:30AM +, Pau Amma wrote: I finally got around to this, or rather to the half that didn't have a mention of NO_IPV6. While there, I noticed a stray uppercase letter elsewhere (2x) and fixed that as well. Patch (generated from postfix-3.8-20220421) attached. The source file for IPV6_README is: proto/IPV6_README.html +++ postfix-tmp/README_FILES/IPV6_README 2022-04-30 02:35:27.514645000 +0200 This is a derived file, and the patch should be against the "proto" file. +++ postfix-tmp/proto/INSTALL.html 2022-04-30 02:40:25.455297000 +0200 THis is the only "INSTALL" file to edit. Revised patch per above. While in proto/IPV6_README.html, I tweaked the link text in one spot for better screenreader accessibility per https://webaim.org/techniques/hypertext/#alpha_links. (Other links there or elsewhere in the documentation may need similar changes. Let me know if you & WV want to do that yourselves.) -- #BlackLivesMatter #TransWomenAreWomen #AccessibilityMatters #StandWithUkrainians English: he/him/his (singular they/them/their/theirs OK) French: il/le/lui (iel/iel and ielle/ielle OK) Tagalog: siya/niya/kaniya (please avoid sila/nila/kanila) diff -ru postfix-3.8-20220421/proto/INSTALL.html postfix-tmp/proto/INSTALL.html --- postfix-3.8-20220421/proto/INSTALL.html 2021-12-20 23:11:11.0 +0100 +++ postfix-tmp/proto/INSTALL.html 2022-04-30 02:40:25.455297000 +0200 @@ -837,7 +837,7 @@ -DNO_IPV6 Do not build with IPv6 support. By default, IPv6 support is compiled in on platforms that are known to have IPv6 support. Note: this directive is for debugging -And testing only. It is not guaranteed to work on all platforms. +and testing only. It is not guaranteed to work on all platforms. If you don't want IPv6 support, set "inet_protocols = ipv4" in main.cf. diff -ru postfix-3.8-20220421/proto/IPV6_README.html postfix-tmp/proto/IPV6_README.html --- postfix-3.8-20220421/proto/IPV6_README.html 2021-12-20 23:11:11.0 +0100 +++ postfix-tmp/proto/IPV6_README.html 2022-04-30 11:48:22.583354000 +0200 @@ -78,8 +78,8 @@ On other platforms Postfix will simply use IPv4 as it has always done. - See below for tips how to port Postfix -IPv6 support to other environments. + See below for tips how to port Postfix +IPv6 support to other environments. Configuration @@ -127,6 +127,9 @@ Note 2: on older Linux and Solaris systems, the setting "inet_protocols = ipv6" will not prevent Postfix from accepting IPv4 connections. + + Note 3: to pretend IPv6 isn't supported (for testing only), use the NO_IPV6 +compilation option. The other new parameter is smtp_bind_address6. This sets the local interface address for outgoing IPv6 SMTP
