[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-14 Thread Jakob Cornell via Postfix-users 

Having 12x that text in the postconf masnpage would not help.


Certainly not, but I think there's a good middle ground. A more practical 
change would just make brief reference to the distinction. For example:


check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address 
(and for some tables domain, parent domains, and localpart@), and execute the 
corresponding action.


That way a newcomer knows to look for clarification on "some" if they intend to 
rely on a partial key lookup.

Another option is to remove the partial key enumeration from these descriptions 
entirely. It appears that some restriction types are already documented this 
way (e.g. check_client_mx_access).

Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-13 Thread Jakob Cornell via Postfix-users 

Hi Wietse,


I can add a debug log that a specific table is skipped for a specific name.


Ah yes, that's a better fix. That would take care of my confusion with the 
logging.

Do you have any thoughts on postconf(5) describing partial key lookups in the 
descriptions for check_*_access without mention of the indexed table type 
limitation?

Thanks for Postfix!
Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-12 Thread Jakob Cornell via Postfix-users 

The logging code lives outside the individual table drivers and with "_maps" 
parameters that support multiple tables, above any individual table lookup.


Oh I see. Well without rearchitecting the logging it seems this could be made 
more intuitive for the case where all of the maps in a sequence are skipped 
(e.g. my case with a single regexp table).

If I understand right the non-indexed skip is implemented by the 'continue' at 
global/maps.c:199, so a flag could be added to track whether execution has 
passed line 199 and if not, the log statement at 221 could be skipped.

Whether this would actually be a net benefit I'm not sure, but it seemed worth 
mentioning.


Some tables support partial keys, other do not, as documented under in 
regexp_table(5):


Ah, didn't see this before in the man page.

Thoughts on updating the documentation for check_recipient_access to mention 
the indexed/non-indexed distinction? Thoughts on more fully documenting which 
table types do partial key lookups?

Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-12 Thread Jakob Cornell via Postfix-users 

Thanks Viktor. I found what I believe you're referencing in the access(5) man 
page:


With lookups from indexed files such as DB or DBM,  or  from  networked
tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
listed below:


Is this the only documentation explaining this distinction? It doesn't state 
which table types are indexed, and in the database readme only a few types are 
called out as indexed. (My testing indicates the 'inline' type is indexed, but 
I can't find mention of this in the documentation.)

While the documentation for 'check_recipient_access' in postconf(5) links to 
access(5), it doesn't mention the indexed table type distinction, implying the 
lookup sequence for indexed files is used regardless of the table type:


check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address, 
domain, parent domains, or localpart@, and execute the corresponding action.


And then there's the confusing logs from my original email which appear to show 
the full lookup sequence being done on a regexp table. My assumption is that 
the full lookup sequence is actually being processed, but individual lookups 
beyond the first one are being skipped without skipping the corresponding 
logging code.

Can we improve this so it's easier to get this right on the first try as a 
newcomer, and make it more clear what's happening at run time? It looks like a 
code change to skip the logging along with the actual table lookups might be in 
order, and some clarification in the docs. I'm happy to create patches for some 
docs changes at least if that's useful. Not sure what the contribution policy 
of the project is.

Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Unexpected behavior of regexp table in check_sender_access directive

2024-02-11 Thread Jakob Cornell via Postfix-users 

Hi folks,

I'm updating the configuration of my mail server and having problems with a 
regexp table. This is the relevant configuration in main.cf:

smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/db/sender_access_table
...

And /etc/postfix/db/sender_access_table:

/^jcornell\.net$/ reject_sender_login_mismatch, permit
/^m\.acorn\.ignorelist\.com$/ reject_sender_login_mismatch, permit

With this configuration when I attempt to send a test email from 
ja...@jcornell.net to an external address I see in the logs that the regexp 
lookup fails:

Feb 12 01:18:01 server postfix/smtpd[26577]: dict_regexp_lookup: 
/etc/postfix/db/sender_access_table: ja...@jcornell.net
Feb 12 01:18:01 server postfix/smtpd[26577]: maps_find: 
regexp:/etc/postfix/db/sender_access_table: ja...@jcornell.net: not found
Feb 12 01:18:01 server postfix/smtpd[26577]: maps_find: 
regexp:/etc/postfix/db/sender_access_table: jcornell.net: not found
Feb 12 01:18:01 server postfix/smtpd[26577]: maps_find: 
regexp:/etc/postfix/db/sender_access_table: net: not found
Feb 12 01:18:01 server postfix/smtpd[26577]: maps_find: 
regexp:/etc/postfix/db/sender_access_table: jakob@: not found
Feb 12 01:18:01 server postfix/smtpd[26577]: mail_addr_find: ja...@jcornell.net 
-> (not found)

Notice that I've used domain names in the table patterns, and one of the 
attempted lookups is with the domain from the address, as intended, but the 
lookup fails. However, the same lookup apparently succeeds when done using 
'postmap':

# postmap -q jcornell.net regexp:/etc/postfix/db/sender_access_table
reject_sender_login_mismatch, permit

My temporary workaround is to use an inline table instead:

check_sender_access inline:{ { jcornell.net=reject_sender_login_mismatch, 
permit }, { m.acorn.ignorelist.com=reject_sender_login_mismatch, permit } }

This works fine for ja...@jcornell.net, but my ultimate goal is to configure 
delivery for *.m.acorn.ignorelist.com too (arbitrary subdomain), and an inline 
table won't work for that. Could this be a bug in regexp table lookup?

Thanks,
Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org