[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-14 Thread Jakob Cornell via Postfix-users 

Having 12x that text in the postconf masnpage would not help.


Certainly not, but I think there's a good middle ground. A more practical 
change would just make brief reference to the distinction. For example:


check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address 
(and for some tables domain, parent domains, and localpart@), and execute the 
corresponding action.


That way a newcomer knows to look for clarification on "some" if they intend to 
rely on a partial key lookup.

Another option is to remove the partial key enumeration from these descriptions 
entirely. It appears that some restriction types are already documented this 
way (e.g. check_client_mx_access).

Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-14 Thread Wietse Venema via Postfix-users 
Jakob Cornell via Postfix-users:
> Hi Wietse,
> 
> > I can add a debug log that a specific table is skipped for a specific name.
> 
> Ah yes, that's a better fix. That would take care of my confusion with the 
> logging.
> 
> Do you have any thoughts on postconf(5) describing partial key
> lookups in the descriptions for check_*_access without mention of
> the indexed table type limitation?

There are a dozen or more check_*_access features. Their descriptions
all link to the access(5) manpage that describes the table lookups.

Having 12x that text in the postconf masnpage would not help.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-13 Thread Jakob Cornell via Postfix-users 

Hi Wietse,


I can add a debug log that a specific table is skipped for a specific name.


Ah yes, that's a better fix. That would take care of my confusion with the 
logging.

Do you have any thoughts on postconf(5) describing partial key lookups in the 
descriptions for check_*_access without mention of the indexed table type 
limitation?

Thanks for Postfix!
Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-13 Thread Wietse Venema via Postfix-users 
Jakob Cornell via Postfix-users:
> If I understand right the non-indexed skip is implemented by the
> 'continue' at global/maps.c:199, so a flag could be added to track
> whether execution has passed line 199 and if not, the log statement
> at 221 could be skipped.

I can add a debug log that a specific table is skipped for a specific name.

for (map_name = maps->argv->argv; *map_name; map_name++) {
...
if (flags != 0 && (dict->flags & flags) == 0) {
if (msg_verbose)
msg_info("%s: %s: skipping %s lookup for %s",
 myname, maps->title, *map_name, name);
continue;
}
/* Seach this table for this key. Return after 'found' or error. */
}
/* Log "search aborted" after error, "not found" otherwise. */

There is no need for additional flags to distinguish between "skipped"
and "not found": "skipped" always applies to a single table instance,
while "not found" always applies to the table collection.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-12 Thread Jakob Cornell via Postfix-users 

The logging code lives outside the individual table drivers and with "_maps" 
parameters that support multiple tables, above any individual table lookup.


Oh I see. Well without rearchitecting the logging it seems this could be made 
more intuitive for the case where all of the maps in a sequence are skipped 
(e.g. my case with a single regexp table).

If I understand right the non-indexed skip is implemented by the 'continue' at 
global/maps.c:199, so a flag could be added to track whether execution has 
passed line 199 and if not, the log statement at 221 could be skipped.

Whether this would actually be a net benefit I'm not sure, but it seemed worth 
mentioning.


Some tables support partial keys, other do not, as documented under in 
regexp_table(5):


Ah, didn't see this before in the man page.

Thoughts on updating the documentation for check_recipient_access to mention 
the indexed/non-indexed distinction? Thoughts on more fully documenting which 
table types do partial key lookups?

Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-12 Thread Viktor Dukhovni via Postfix-users 
On Mon, Feb 12, 2024 at 09:05:12PM -0600, Jakob Cornell via Postfix-users wrote:

> Can we improve this so it's easier to get this right on the first try
> as a newcomer, and make it more clear what's happening at run time? It
> looks like a code change to skip the logging along with the actual
> table lookups might be in order, and some clarification in the docs.
> I'm happy to create patches for some docs changes at least if that's
> useful. Not sure what the contribution policy of the project is.

That'd be a layer-violation.  The logging code lives outside the
individual table drivers and with "_maps" parameters that support
multiple tables, above any individual table lookup.  It does not
make a lot of sense to push the logging down into each table.

Some tables support partial keys, other do not, as documented
under in regexp_table(5):

TABLE SEARCH ORDER
   Patterns are applied in the order as specified in the table,
   until a pattern is found that matches the input string.

   Each pattern is applied to the entire input string.  Depending on
   the application, that string is an entire client hostname, an
   entire client IP address, or an entire mail address.  Thus, no
   parent domain or parent network search is done, and user@domain
   mail addresses are not broken up into their user and domain
   constituent parts, nor is user+foo broken up into user and foo.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-12 Thread Jakob Cornell via Postfix-users 

Thanks Viktor. I found what I believe you're referencing in the access(5) man 
page:


With lookups from indexed files such as DB or DBM,  or  from  networked
tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
listed below:


Is this the only documentation explaining this distinction? It doesn't state 
which table types are indexed, and in the database readme only a few types are 
called out as indexed. (My testing indicates the 'inline' type is indexed, but 
I can't find mention of this in the documentation.)

While the documentation for 'check_recipient_access' in postconf(5) links to 
access(5), it doesn't mention the indexed table type distinction, implying the 
lookup sequence for indexed files is used regardless of the table type:


check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address, 
domain, parent domains, or localpart@, and execute the corresponding action.


And then there's the confusing logs from my original email which appear to show 
the full lookup sequence being done on a regexp table. My assumption is that 
the full lookup sequence is actually being processed, but individual lookups 
beyond the first one are being skipped without skipping the corresponding 
logging code.

Can we improve this so it's easier to get this right on the first try as a 
newcomer, and make it more clear what's happening at run time? It looks like a 
code change to skip the logging along with the actual table lookups might be in 
order, and some clarification in the docs. I'm happy to create patches for some 
docs changes at least if that's useful. Not sure what the contribution policy 
of the project is.

Jakob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

2024-02-11 Thread Viktor Dukhovni via Postfix-users 
On Sun, Feb 11, 2024 at 07:42:24PM -0600, Jakob Cornell via Postfix-users wrote:

> smtpd_recipient_restrictions =
>   check_sender_access regexp:/etc/postfix/db/sender_access_table
>   ...

As documented regexp, pcre, ... tables don't do "partial key" lookups.
This is deliberate and correct behaviour.

> /^jcornell\.net$/ reject_sender_login_mismatch, permit

This is just the domain part of an address, and would match in an
indexed file or similar table, not in a regexp, pcre, ... table.


> This works fine for ja...@jcornell.net, but my ultimate goal is to
> configure delivery for *.m.acorn.ignorelist.com too (arbitrary
> subdomain),

See access(5).  In indexed files, domains by default also match
their sub-domains, but see:

https://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

and preferably set it empty and then list:

access:
blocked.example REJECT
.blocked.exampleREJECT

> Could this be a bug in regexp table lookup?

Works as intended.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org