Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
access maps for smtpd_client_event_limit_exceptions
725 views
Skip to first unread message
Will Yardley
Jul 21, 2014, 5:25:09 PM7/21/14
to
We have:
smtpd_client_event_limit_exceptions = 192.168.0.0/16,127.0.0.1,cidr:/etc/postfix/config/white_list,hash:/etc/postfix/config/white_list_internal_servers,hash:/etc/postfix/config/anvil_whitelist
configured for Anvil. The last file is for rate-limiting exemptions
only, whereas the other 2 are used for whitelisting in other places.
I thought that, for networks that fall on classful boundaries, for
example, /24s, I could just do [in /etc/postfix/config/anvil_whitelist]
10.0.0.5 OK
172.16.34 OK
or
172.16.34. OK
However, with either notation, messages with an IP falling within
(e.g.,) 172.16.34.0/24 seem to be getting rate-limited.
This is Postfix 2.3.3 on RHEL 5.
Adding the network in question to the CIDR map, in CIDR format, seems to
work as expected, but just wondering if there's a way to get the
expected behavior without adding an additional file and making our
config even more convoluted.
w
smtpd_client_event_limit_exceptions = 192.168.0.0/16,127.0.0.1,cidr:/etc/postfix/config/white_list,hash:/etc/postfix/config/white_list_internal_servers,hash:/etc/postfix/config/anvil_whitelist
configured for Anvil. The last file is for rate-limiting exemptions
only, whereas the other 2 are used for whitelisting in other places.
I thought that, for networks that fall on classful boundaries, for
example, /24s, I could just do [in /etc/postfix/config/anvil_whitelist]
10.0.0.5 OK
172.16.34 OK
or
172.16.34. OK
However, with either notation, messages with an IP falling within
(e.g.,) 172.16.34.0/24 seem to be getting rate-limited.
This is Postfix 2.3.3 on RHEL 5.
Adding the network in question to the CIDR map, in CIDR format, seems to
work as expected, but just wondering if there's a way to get the
expected behavior without adding an additional file and making our
config even more convoluted.
w
Noel Jones
Jul 21, 2014, 5:42:57 PM7/21/14
to
searches built into access maps. See the docs on mynetworks for the
syntax supported here:
http://www.postfix.org/postconf.5.html#mynetworks
It might be easiest to use a flat file, which allows both names and
networks, rather than a hash: or cidr: table.
-- Noel Jones
Will Yardley
Jul 21, 2014, 6:13:41 PM7/21/14
to
On Mon, Jul 21, 2014 at 04:42:57PM -0500, Noel Jones wrote:
>
> It might be easiest to use a flat file, which allows both names and
> networks, rather than a hash: or cidr: table.
Thanks - I think this is how it was setup at one point, and that
>
> It might be easiest to use a flat file, which allows both names and
> networks, rather than a hash: or cidr: table.
explains why.
w
Will Yardley
Jul 25, 2014, 12:01:31 AM7/25/14
to
On Mon, Jul 21, 2014 at 04:42:57PM -0500, Noel Jones wrote:
> This isn't an access map, and doesn't have the network notation
> searches built into access maps. See the docs on mynetworks for the
> syntax supported here:
> http://www.postfix.org/postconf.5.html#mynetworks
>
> searches built into access maps. See the docs on mynetworks for the
> syntax supported here:
> http://www.postfix.org/postconf.5.html#mynetworks
>
> It might be easiest to use a flat file, which allows both names and
> networks, rather than a hash: or cidr: table.
http://www.postfix.org/postconf.5.html#mynetworks doesn't seem to
> networks, rather than a hash: or cidr: table.
mention in much detail what types of host patterns are recognized or how
they're parsed. We've always had it as:
foo.example.edu
.gmail.com
.example.com
Am I correct in understanding that matching hostnames this way is
kosher?
w
Wietse Venema
Jul 25, 2014, 6:59:16 AM7/25/14
to
Will Yardley:
Wietse
> On Mon, Jul 21, 2014 at 04:42:57PM -0500, Noel Jones wrote:
> > This isn't an access map, and doesn't have the network notation
> > searches built into access maps. See the docs on mynetworks for the
> > syntax supported here:
> > http://www.postfix.org/postconf.5.html#mynetworks
> >
> > It might be easiest to use a flat file, which allows both names and
> > networks, rather than a hash: or cidr: table.
>
> http://www.postfix.org/postconf.5.html#mynetworks doesn't seem to
> mention in much detail what types of host patterns are recognized or how
> they're parsed. We've always had it as:
There are no host patterns therefore they are not implemented.
> > This isn't an access map, and doesn't have the network notation
> > searches built into access maps. See the docs on mynetworks for the
> > syntax supported here:
> > http://www.postfix.org/postconf.5.html#mynetworks
> >
> > It might be easiest to use a flat file, which allows both names and
> > networks, rather than a hash: or cidr: table.
>
> http://www.postfix.org/postconf.5.html#mynetworks doesn't seem to
> mention in much detail what types of host patterns are recognized or how
> they're parsed. We've always had it as:
Wietse
Wietse Venema
Jul 25, 2014, 7:42:59 AM7/25/14
to
Wietse Venema:
setting. The default setting includes mynetworks, meaning that
example.com will match host.example.com by default. With mynetworks
removed from from parent_domain_matches_subdomains, .example.com
will match host.example.com.
parent_domain_matches_subdomains is a feature that was meant to
become empty over time.
Wietse
> Will Yardley:
> > On Mon, Jul 21, 2014 at 04:42:57PM -0500, Noel Jones wrote:
> > > This isn't an access map, and doesn't have the network notation
> > > searches built into access maps. See the docs on mynetworks for the
> > > syntax supported here:
> > > http://www.postfix.org/postconf.5.html#mynetworks
> > >
> > > It might be easiest to use a flat file, which allows both names and
> > > networks, rather than a hash: or cidr: table.
> >
> > http://www.postfix.org/postconf.5.html#mynetworks doesn't seem to
> > mention in much detail what types of host patterns are recognized or how
> > they're parsed. We've always had it as:
>
> There are no host patterns therefore they are not implemented.
Actually, behavior depends on the parent_domain_matches_subdomains
> > On Mon, Jul 21, 2014 at 04:42:57PM -0500, Noel Jones wrote:
> > > This isn't an access map, and doesn't have the network notation
> > > searches built into access maps. See the docs on mynetworks for the
> > > syntax supported here:
> > > http://www.postfix.org/postconf.5.html#mynetworks
> > >
> > > It might be easiest to use a flat file, which allows both names and
> > > networks, rather than a hash: or cidr: table.
> >
> > http://www.postfix.org/postconf.5.html#mynetworks doesn't seem to
> > mention in much detail what types of host patterns are recognized or how
> > they're parsed. We've always had it as:
>
> There are no host patterns therefore they are not implemented.
setting. The default setting includes mynetworks, meaning that
example.com will match host.example.com by default. With mynetworks
removed from from parent_domain_matches_subdomains, .example.com
will match host.example.com.
parent_domain_matches_subdomains is a feature that was meant to
become empty over time.
Wietse
Wietse Venema
Jul 25, 2014, 7:57:45 AM7/25/14
to
Wietse Venema:
I'll add some documentation to the text for mynetworks (adding a
pointer to parent_domain_matches_subdomains) and to the text for
parent_domain_matches_subdomains (describing which features it
controls).
Currently, parent_domain_matches_subdomains does not control the
behavior of smtpd_client_event_limit_exceptions. I'll fix that.
Since smtpd_client_event_limit_exceptions is meant to be similar
to mynetworks, it should behave in the same manner. There are already
a few features that borrow their parent-domain matching behavior
from mynetworks.
Wietse
pointer to parent_domain_matches_subdomains) and to the text for
parent_domain_matches_subdomains (describing which features it
controls).
Currently, parent_domain_matches_subdomains does not control the
behavior of smtpd_client_event_limit_exceptions. I'll fix that.
Since smtpd_client_event_limit_exceptions is meant to be similar
to mynetworks, it should behave in the same manner. There are already
a few features that borrow their parent-domain matching behavior
from mynetworks.
Wietse
Will Yardley
Jul 25, 2014, 9:43:06 AM7/25/14
to
> Actually, behavior depends on the parent_domain_matches_subdomains
> setting. The default setting includes mynetworks, meaning that
> example.com will match host.example.com by default. With mynetworks
> removed from from parent_domain_matches_subdomains, .example.com
> will match host.example.com.
Ah, Ok.
> setting. The default setting includes mynetworks, meaning that
> example.com will match host.example.com by default. With mynetworks
> removed from from parent_domain_matches_subdomains, .example.com
> will match host.example.com.
On the current system (running 2.3.3), it does seem to behave as
expected (e.g., I've got .google.com and .gmail.com, and I'm not
throttling Gmail, which I'm sure would happen instantly if it wasn't
matching).
$mynetworks is in $parent_domain_matches_subdomains:
$ postconf parent_domain_matches_subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
Thanks -- it's very helpful to understand *why* this works.
w
Wietse Venema
Jul 25, 2014, 10:09:08 AM7/25/14
to
Will Yardley:
in parent_domain_matches_subdomains (and listing it there has no
effect because there is no code that implements it).
So the present behavior is as if smtpd_client_event_limit_exceptions
is not listed in parent_domain_matches_subdomains. It borrows the
general syntax of mynetworks, but it does not borrow its parent
domain matching behavior.
So I cannot suddenly change smtpd_client_event_limit_exceptions
to behave exactly as mynetworks, because that would break existing
systems.
> On the current system (running 2.3.3), it does seem to behave as
> expected (e.g., I've got .google.com and .gmail.com, and I'm not
> throttling Gmail, which I'm sure would happen instantly if it wasn't
> matching).
>
> $mynetworks is in $parent_domain_matches_subdomains:
>
> $ postconf parent_domain_matches_subdomains
> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
>
> Thanks -- it's very helpful to understand *why* this works.
And this part of Postfix was under-documented.
I just checked with other features that borrow from mynetworks.
The postscreen_access_list feature has a permit_mynetworks sub-feature.
This has its own parent_domain_matches_subdomains setting.
So in the end I have done the same for smtpd_client_event_limit_exceptions.
It now has its own parent_domain_matches_subdomains setting. This
avoids breaking compatibility with existing configurations.
Updated documentation fragments are below.
Wietse
smtpd_client_event_limit_exceptions (default: $mynetworks)
Clients that are excluded from smtpd_client_*_count/rate_limit restric-
tions. See the mynetworks parameter description for the parameter value
syntax.
...
Pattern matching of domain names is controlled by the presence or
absence of "smtpd_client_event_limit_exceptions" in the par-
ent_domain_matches_subdomains parameter value (postfix 2.12 and later).
This feature is available in Postfix 2.2 and later.
parent_domain_matches_subdomains (default: see postconf -d output)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern. This is
planned backwards compatibility: eventually, all Postfix features are
expected to require explicit ".domain.tld" style patterns when you
really want to match subdomains.
The following Postfix feature names are supported.
Postfix version 1.0 and later
debug_peer_list, fast_flush_domains, mynetworks, per-
mit_mx_backup_networks, relay_domains, transport_maps
Postfix version 1.1 and later
qmqpd_authorized_clients, smtpd_access_maps,
Postfix version 2.8 and later
postscreen_access_list
Postfix version 2.12 and later
smtpd_client_event_limit_exceptions
> > Actually, behavior depends on the parent_domain_matches_subdomains
> > setting. The default setting includes mynetworks, meaning that
> > example.com will match host.example.com by default. With mynetworks
> > removed from from parent_domain_matches_subdomains, .example.com
> > will match host.example.com.
>
> Ah, Ok.
More precisely, smtpd_client_event_limit_exceptions is not listed
> > setting. The default setting includes mynetworks, meaning that
> > example.com will match host.example.com by default. With mynetworks
> > removed from from parent_domain_matches_subdomains, .example.com
> > will match host.example.com.
>
> Ah, Ok.
in parent_domain_matches_subdomains (and listing it there has no
effect because there is no code that implements it).
So the present behavior is as if smtpd_client_event_limit_exceptions
is not listed in parent_domain_matches_subdomains. It borrows the
general syntax of mynetworks, but it does not borrow its parent
domain matching behavior.
So I cannot suddenly change smtpd_client_event_limit_exceptions
to behave exactly as mynetworks, because that would break existing
systems.
> On the current system (running 2.3.3), it does seem to behave as
> expected (e.g., I've got .google.com and .gmail.com, and I'm not
> throttling Gmail, which I'm sure would happen instantly if it wasn't
> matching).
>
> $mynetworks is in $parent_domain_matches_subdomains:
>
> $ postconf parent_domain_matches_subdomains
> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
>
> Thanks -- it's very helpful to understand *why* this works.
I just checked with other features that borrow from mynetworks.
The postscreen_access_list feature has a permit_mynetworks sub-feature.
This has its own parent_domain_matches_subdomains setting.
So in the end I have done the same for smtpd_client_event_limit_exceptions.
It now has its own parent_domain_matches_subdomains setting. This
avoids breaking compatibility with existing configurations.
Updated documentation fragments are below.
Wietse
smtpd_client_event_limit_exceptions (default: $mynetworks)
Clients that are excluded from smtpd_client_*_count/rate_limit restric-
tions. See the mynetworks parameter description for the parameter value
syntax.
...
Pattern matching of domain names is controlled by the presence or
absence of "smtpd_client_event_limit_exceptions" in the par-
ent_domain_matches_subdomains parameter value (postfix 2.12 and later).
This feature is available in Postfix 2.2 and later.
parent_domain_matches_subdomains (default: see postconf -d output)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern. This is
planned backwards compatibility: eventually, all Postfix features are
expected to require explicit ".domain.tld" style patterns when you
really want to match subdomains.
The following Postfix feature names are supported.
Postfix version 1.0 and later
debug_peer_list, fast_flush_domains, mynetworks, per-
mit_mx_backup_networks, relay_domains, transport_maps
Postfix version 1.1 and later
qmqpd_authorized_clients, smtpd_access_maps,
Postfix version 2.8 and later
postscreen_access_list
Postfix version 2.12 and later
smtpd_client_event_limit_exceptions
Will Yardley
Jul 25, 2014, 12:50:33 PM7/25/14
to
On Fri, Jul 25, 2014 at 10:09:08AM -0400, Wietse Venema wrote:
> Will Yardley:
> > > Actually, behavior depends on the parent_domain_matches_subdomains
> > > setting.
> Will Yardley:
> > > Actually, behavior depends on the parent_domain_matches_subdomains
> > > setting.
> So the present behavior is as if smtpd_client_event_limit_exceptions
> is not listed in parent_domain_matches_subdomains. It borrows the
> general syntax of mynetworks, but it does not borrow its parent
> domain matching behavior.
[...]
> is not listed in parent_domain_matches_subdomains. It borrows the
> general syntax of mynetworks, but it does not borrow its parent
> domain matching behavior.
> What Postfix features match subdomains of "domain.tld"
> automatically, instead of requiring an explicit
> ".domain.tld" pattern. This is planned backwards
> compatibility: eventually, all Postfix features are expected
> to require explicit ".domain.tld" style patterns when you
> really want to match subdomains.
guess my original question really was, does .domain.tld match subdomains
for $mynetworks / $smtpd_client_event_limit_exceptions when specified in
that way?
The docs for $mynetworks mentions hostnames, but doesn't really give any
specific examples.
w
Wietse Venema
Jul 25, 2014, 5:22:58 PM7/25/14
to
Will Yardley:
"mynetworks" in the parent_domain_matches_subdomains parameter value.
In the case of smtpd_client_event_limit_exceptions, it depends on
2.12 as of today). Earlier Postfix versions behave as if
"smtpd_client_event_limit_exceptions" is not present.
Wietse
> Ah, but in my case, I am using '.domain.tld' vs. 'domain.tld', so I
> guess my original question really was, does .domain.tld match subdomains
> for $mynetworks / $smtpd_client_event_limit_exceptions when specified in
> that way?
In the case of mynetworks, it depends on the presence or absence of
> guess my original question really was, does .domain.tld match subdomains
> for $mynetworks / $smtpd_client_event_limit_exceptions when specified in
> that way?
"mynetworks" in the parent_domain_matches_subdomains parameter value.
In the case of smtpd_client_event_limit_exceptions, it depends on
the presence or absence of "smtpd_client_event_limit_exceptions"
in the parent_domain_matches_subdomains parameter value (Postfix
2.12 as of today). Earlier Postfix versions behave as if
"smtpd_client_event_limit_exceptions" is not present.
Wietse
0 new messages