postscreen_dnsbl_sites filter syntax?

[Mark Martinec]

I must be doing something silly, but I can't see my mistake.

$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]

postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at "127.0.0.[2><"

Or to simplify the matter:

$ postconf postscreen_dnsbl_sites
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[3,4]

postfix/postscreen[25207]: fatal: bad DNSBL filter syntax: need "," or "]" at "127.0.0.[3><"

Without a filter or with just a plain dotted-quad it works normally.

This is postfix-2.8.0-RC2, FreeBSD, installed from ports mail/postfix-current
after adjusting the version of a filename and a checksum.

Mark

[Victor Duchovni]

On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote:

> $ postconf postscreen_dnsbl_sites
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
>
> postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at "127.0.0.[2><"

There is a parser issue here, since "," is both a valid separator between
list elements and a separator in the filter notation.

--
Viktor.

[Wietse Venema]

Mark Martinec:

> I must be doing something silly, but I can't see my mistake.
>

> $ postconf postscreen_dnsbl_sites
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
>
> postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at "127.0.0.[2><"

The problem is that the string ends in "[2".

As originally implemented in 2009, postscreen_dnsbl_sites uses the
comma as separator character. This was more than a year before the
pattern syntax was added, which uses comma as the "set" delimiter.

Of course I can't have an incompatible syntax change in a stable
release candidate, so this is going to require some workaround
(don't split on comma after open '[').

At least my effort to produce very precise syntax error reports
are paying off.

Wietse

[Noel Jones]

Same error in the smtpd restrictions.
mail_version = 2.9-20110116

main.cf:
...
smtpd_client_restrictions =
reject_rbl_client zen.spamhaus.org=127.0.0.[2,3]

maillog:
... postfix/smtpd[66721]: fatal: RBL reply error: need "," or
"]" at "127.0.0.[2><"

-- Noel Jones

[Victor Duchovni]

On Tue, Jan 18, 2011 at 03:36:12PM -0500, Victor Duchovni wrote:

> On Tue, Jan 18, 2011 at 09:19:50PM +0100, Mark Martinec wrote:
>

> > $ postconf postscreen_dnsbl_sites
> > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2,3,4..8,10..11]
> >
> > postfix/postscreen[26161]: fatal: bad DNSBL filter syntax: need "," or "]" at "127.0.0.[2><"
>

> There is a parser issue here, since "," is both a valid separator between
> list elements and a separator in the filter notation.

This is likely also a problem in smtpd(8) when parsing similar expressions
with "reject_rbl_client domain=filter".

--
Viktor.

[Wietse Venema]

Victor Duchovni:

A bit of context-sensitive parsing wil handle this without breaking
existing configurations.

Wietse

Something along the lines of:

/*
* Workaround. The "," was already in use as dnsbl list separator.
*/
for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
if (*cp == '[') {
keep++;
} else if (*cp == ']' && keep > 0) {
keep--;
} else if (*cp == ',' && keep <= 0) {
*cp = ' ';
}
}
dnsbl_site = argv_split(var_psc_dnsbl_sites, ", \t\r\n");

[Victor Duchovni]

On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:

> Something along the lines of:
>
> /*
> * Workaround. The "," was already in use as dnsbl list separator.
> */
> for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
> if (*cp == '[') {
> keep++;
> } else if (*cp == ']' && keep > 0) {
> keep--;
> } else if (*cp == ',' && keep <= 0) {
> *cp = ' ';
> }
> }
> dnsbl_site = argv_split(var_psc_dnsbl_sites, ", \t\r\n");

Right, reasonably elegant, but with the split now on just " \t\r\n".

--
Viktor.

[Wietse Venema]

Victor Duchovni:

But having "," inside an access control feature it is likely to
break third-party tools that maintain Postfix configuration files.

The alternative is to change the address filter syntax, and to
replace "," by a different set separator such as ";".

Wietse

[Patrick Ben Koetter]

* Wietse Venema <postfi...@postfix.org>:

2.9 is still release candidate. You could do that or does it break your rules?

p@rick

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

[Victor Duchovni]

On Tue, Jan 18, 2011 at 04:08:12PM -0500, Wietse Venema wrote:

> But having "," inside an access control feature it is likely to
> break third-party tools that maintain Postfix configuration files.
>

> The alternative is to [modify] the address filter syntax, and to

> replace "," by a different set separator such as ";".

This is safer, if incompatible with the snapshots, but clearly not
too many folks have relied on the (non-working) syntax.

--
Viktor.

[Patrick Ben Koetter]

* Patrick Ben Koetter <p...@state-of-mind.de>:

> * Wietse Venema <postfi...@postfix.org>:
> > Victor Duchovni:
> > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
> > >
> > > > Something along the lines of:
> > > >
> > > > /*
> > > > * Workaround. The "," was already in use as dnsbl list separator.
> > > > */
> > > > for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
> > > > if (*cp == '[') {
> > > > keep++;
> > > > } else if (*cp == ']' && keep > 0) {
> > > > keep--;
> > > > } else if (*cp == ',' && keep <= 0) {
> > > > *cp = ' ';
> > > > }
> > > > }
> > > > dnsbl_site = argv_split(var_psc_dnsbl_sites, ", \t\r\n");
> > >
> > > Right, reasonably elegant, but with the split now on just " \t\r\n".
> >

> > But having "," inside an access control feature it is likely to
> > break third-party tools that maintain Postfix configuration files.
> >

> > The alternative is to change the address filter syntax, and to

> > replace "," by a different set separator such as ";".
>

> 2.9 is still release candidate. You could do that or does it break your rules?

I meant 2.8.

[Wietse Venema]

Patrick Ben Koetter:

> * Wietse Venema <postfi...@postfix.org>:
> > Victor Duchovni:
> > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
> > >
> > > > Something along the lines of:
> > > >
> > > > /*
> > > > * Workaround. The "," was already in use as dnsbl list separator.
> > > > */
> > > > for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
> > > > if (*cp == '[') {
> > > > keep++;
> > > > } else if (*cp == ']' && keep > 0) {
> > > > keep--;
> > > > } else if (*cp == ',' && keep <= 0) {
> > > > *cp = ' ';
> > > > }
> > > > }
> > > > dnsbl_site = argv_split(var_psc_dnsbl_sites, ", \t\r\n");
> > >
> > > Right, reasonably elegant, but with the split now on just " \t\r\n".
> >
> > But having "," inside an access control feature it is likely to
> > break third-party tools that maintain Postfix configuration files.
> >
> > The alternative is to change the address filter syntax, and to
> > replace "," by a different set separator such as ";".
>
> 2.9 is still release candidate. You could do that or does it break your rules?

The [x,x] syntax never worked in main.cf, so I can't break
configuration file compatibility by changing to [x;x].

But I would have to update a dozen regression tests that I wrote
for the code module that implements the address filter.

Wietse

[Wietse Venema]

Wietse Venema:

> > * Wietse Venema <postfi...@postfix.org>:
> > > Victor Duchovni:
> > > > On Tue, Jan 18, 2011 at 03:56:45PM -0500, Wietse Venema wrote:
> > > >
> > > > > Something along the lines of:
> > > > >
> > > > > /*
> > > > > * Workaround. The "," was already in use as dnsbl list separator.
> > > > > */
> > > > > for (keep = 0, cp = var_psc_dnsbl_sites; *cp; cp++) {
> > > > > if (*cp == '[') {
> > > > > keep++;
> > > > > } else if (*cp == ']' && keep > 0) {
> > > > > keep--;
> > > > > } else if (*cp == ',' && keep <= 0) {
> > > > > *cp = ' ';
> > > > > }
> > > > > }
> > > > > dnsbl_site = argv_split(var_psc_dnsbl_sites, ", \t\r\n");
> > > >
> > > > Right, reasonably elegant, but with the split now on just " \t\r\n".
> > >
> > > But having "," inside an access control feature it is likely to
> > > break third-party tools that maintain Postfix configuration files.
> > >
> > > The alternative is to change the address filter syntax, and to
> > > replace "," by a different set separator such as ";".
>

> The [x,x] syntax never worked in main.cf, so I can't break
> configuration file compatibility by changing to [x;x].
>
> But I would have to update a dozen regression tests that I wrote
> for the code module that implements the address filter.

This changes the syntax to:

potscreen_dnsbl_sites:

Specify a list of domain=filter*weight entries, separated by comma or
whitespace.

o When no "=filter" is specified, postscreen(8) will use any non-
error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
replies that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains
one or more ";"-separated numbers or number..number ranges.
...

reject_rbl_client rbl_domain=d.d.d.d

Reject the request when the reversed client network address is
listed with the A record "d.d.d.d" under rbl_domain (Postfix
version 2.1 and later only). Each "d" is a number, or a pattern
inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later).
...

And likewise for all reject_*bl_* features.

Wietse