Am I really using a CIDR map?
Robert Lopez
Each time a change is made the "ci access" results in the removal of
the access file from /etc/postfix and leaving the
/etc/postfix.access.db file.
Today I tried to check in a cidr table named cidr-ip. Upon check-in
(and restart of postfix) I got this message in the maillog file:
Apr 6 10:12:57 mg05 postfix/smtpd[4632]: fatal: open
/etc/postfix/cidr-ip: No such file or directory
A "postmap -q <any-pattern-in-file> cidr-ip" returns the rest of the
matching line correctly.
An strace of "postmap -q <any-pattern> cidr-ip" shows it is the
cidr-ip.db file that is being read.
Why does postfix not like the source file being removed from the
/etc/postfix directory?
[root@mg05 postfix]$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
default_process_limit = 400
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org
max_use = 100
message_size_limit = 16777216
mydestination = $myhostname, $mydomain,
localhost.localdomain, cnm.edu, mail.cnm.edu
myhostname = mg05.cnm.edu
mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24,
172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
[::ffff:127.0.0.0]/104 [::1]/128
notify_classes = resource, software
readme_directory = no
recipient_delimiter = +
relay_domains = mg04.cnm.edu, mg05.cnm.edu, mg06.cnm.edu, nmvc.org,
mail.nmvc.org, mg04.nmvc.org, mg05.nmvc.org, mg06.nmvc.org,
nmvirtualcollege.org, mail.nmvirtualcollege.org,
mg04.nmvirtualcollege.org,mg05. nmvirtualcollege.org,
mg05.nmvirtualcollege.org, nmln.net, ideal-nm.org, ideal-nm.net,
idealnm.org, idealnm.net
relayhost =
smtp_host_lookup = dns, native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = reject_unauth_pipelining
check_client_access hash:/etc/postfix/whitelist check_client_access
cidr:/etc/postfix/cidr-ip check_client_access hash:/etc/postfix/access
permit_mynetworks reject_rbl_client
n6mn6bwuuaertsbehompac3udq.zen.dq.spamhaus.net reject_rbl_client
bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client
blackholes.five-ten-sg.com=127.0.0.13
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access
hash:/etc/postfix/helo-ip reject_invalid_hostname reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/greylist check_sender_access
hash:/etc/postfix/access
permit_mynetworks reject_non_fqdn_sender reject_unknown_sender_domain permit_mynetworks reject_unauth_destination
reject_unknown_recipient_domain reject_unlisted_recipient
check_recipient_access
hash:/etc/postfix/overquota reject_non_fqdn_recipient reject_unknown_recipient_domain
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtualaliases
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
Wietse Venema
> A "postmap -q <any-pattern-in-file> cidr-ip" returns the rest of the
> matching line correctly.
This uses the default database type, which is "hash:" on most systems.
Thus. Postfix opens "hash:cidr-ip" which results in opening cidr-ip.db.
To query a CIDR file, specify cidr:filename, just like you have in main.cf.
Wietse
Noel Jones
> For some time I have been tracking changes to the access table with RCS.
> Each time a change is made the "ci access" results in the removal of
> the access file from /etc/postfix and leaving the
> /etc/postfix.access.db file.
>
> Today I tried to check in a cidr table named cidr-ip. Upon check-in
> (and restart of postfix) I got this message in the maillog file:
> Apr 6 10:12:57 mg05 postfix/smtpd[4632]: fatal: open
> /etc/postfix/cidr-ip: No such file or directory
>
> matching line correctly.
> cidr-ip.db file that is being read.
>
> Why does postfix not like the source file being removed from the
> /etc/postfix directory?
cidr tables are plain-text tables. The source file is the
live table data. The .db file is your mistake; cidr tables
should not be indexed with postmap.
-- Noel Jones
Robert Lopez
That surprises me.
The man page seems to me to indicate otherwise.
My confusion is with this sentence:
"These tables are usually in dbm or db format."
which is from the Description portion below...
CIDR_TABLE(5) CIDR_TABLE(5)
NAME
cidr_table - format of Postfix CIDR tables
SYNOPSIS
postmap -q "string" cidr:/etc/postfix/filename
postmap -q - cidr:/etc/postfix/filename <inputfile
DESCRIPTION
The Postfix mail system uses optional lookup tables.
These tables are usually in dbm or db format. Alterna-
tively, lookup tables can be specified in CIDR (Classless
Inter-Domain Routing) form. In this case, each input is
compared against a list of patterns. When a match is
found, the corresponding result is returned and the search
is terminated.
To find out what types of lookup tables your Postfix sys-
tem supports use the "postconf -m" command.
To test lookup tables, use the "postmap -q" command as
<snip>
>
> -- Noel Jones
Noel Jones
> On Tue, Apr 6, 2010 at 10:52 AM, Noel Jones<njo...@megan.vbhcs.org> wrote:
>> On 4/6/2010 11:39 AM, Robert Lopez wrote:
>>>
>>> For some time I have been tracking changes to the access table with RCS.
>>> Each time a change is made the "ci access" results in the removal of
>>> the access file from /etc/postfix and leaving the
>>> /etc/postfix.access.db file.
>>>
>>> Today I tried to check in a cidr table named cidr-ip. Upon check-in
>>> (and restart of postfix) I got this message in the maillog file:
>>> Apr 6 10:12:57 mg05 postfix/smtpd[4632]: fatal: open
>>> /etc/postfix/cidr-ip: No such file or directory
>>>
>>> A "postmap -q<any-pattern-in-file> cidr-ip" returns the rest of the
>>> matching line correctly.
>>> An strace of "postmap -q<any-pattern> cidr-ip" shows it is the
>>> cidr-ip.db file that is being read.
>>>
>>> Why does postfix not like the source file being removed from the
>>> /etc/postfix directory?
>>
>> cidr tables are plain-text tables. The source file is the live table data.
>> The .db file is your mistake; cidr tables should not be indexed with
>> postmap.
>
> That surprises me.
>
> The man page seems to me to indicate otherwise.
> My confusion is with this sentence:
> "These tables are usually in dbm or db format."
That statement is followed by "Alternatively, ..."
Writing concise, unambiguous man pages isn't easy.
Contributed documentation patches are always welcome (but not
always adopted).
-- Noel Jones
Wietse Venema
Now that you mention the documentation:
> SYNOPSIS
> postmap -q "string" cidr:/etc/postfix/filename
>
> postmap -q - cidr:/etc/postfix/filename <inputfile
>
> DESCRIPTION
...
> To test lookup tables, use the "postmap -q" command as
> described in the SYNOPSIS above.
It takes some perseverance to find that text.
Wietse
/dev/rob0
> On Tue, Apr 6, 2010 at 10:52 AM, Noel Jones <njo...@megan.vbhcs.org>
> wrote:
> > On 4/6/2010 11:39 AM, Robert Lopez wrote:
> >> Why does postfix not like the source file being removed from the
> >> /etc/postfix directory?
> >
> > cidr tables are plain-text tables. The source file is the live
> > table data. The .db file is your mistake; cidr tables should not
> > be indexed with postmap.
>
> That surprises me.
>
> The man page seems to me to indicate otherwise.
> My confusion is with this sentence:
> "These tables are usually in dbm or db format."
Yes, and it continues:
"Alternatively, lookup tables can be specified in CIDR ... form."
Taken together, with emphasis added:
"These tables are USUALLY in dbm or db format. ALTERNATIVELY, lookup
tables CAN BE ..."
Perhaps the wording can be improved. The "usually" part is not so
relevant as are the particulars of what a cidr: map should be.
"
The Postfix mail system uses optional lookup tables as described in
the DATABASE_README document. Lists of IP addresses can be specified
in CIDR (Classless Inter-Domain Routing) form. In this case, a plain
text file is the map, with the standard "key whitespace value"
format. When a match is found, the corresponding result is returned
and the search is terminated.
"
I know, it's probably not appropriate to refer to a README in that
part of a man page, but it seems more thorough and less likely to
confuse, to me, than the "usually" verbiage.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
Robert Lopez
That is another point that has me confused.
I have been testing to make certain changes I have made to the access file
were really there with postmap -q.
With the movement of IP addresses and CIDR blocks out of the access
file and into a "cidr-ip" file postmap -q would find them in the
cidr-ip.db file.
If I remove the .db ile (As Noel points out not necessary) then I get
an error because postmap seems to only look in database files:
$ postmap -q 222.254.228.0/24 cidr-ip
postmap: fatal: open database cidr-ip.db: No such file or directory
As I originally posted: "An strace of "postmap -q <any-pattern>
cidr-ip" shows it is the cidr-ip.db file that is being read." by
postmap.
>
> Wietse
Noel Jones
The key for a cidr map must be an IP address, not a literal
cidr range.
postmap -q 222.254.225.5 cidr:cidr-ip
-- Noel Jones
Charles Marcus
> If I remove the .db ile (As Noel points out not necessary) then I get
> an error because postmap seems to only look in database files:
>
> $ postmap -q 222.254.228.0/24 cidr-ip
> postmap: fatal: open database cidr-ip.db: No such file or directory
Did you miss this from Wietse?
"SYNOPSIS
> postmap -q "string" cidr:/etc/postfix/filename"
Note the 'cidr:/' prefix to the file path/name?
Noel already pointed out you need to use a single IP as the key...
--
Best regards,
Charles
Robert Lopez
That would help. Then so would this:
"To test lookup tables, use the "postmap -q" command as
described in the SYNOPSIS above for database files. The
postmap -q will not work on the CIDR file as it is a test file."
>
> I know, it's probably not appropriate to refer to a README in that
> part of a man page, but it seems more thorough and less likely to
> confuse, to me, than the "usually" verbiage.
> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
>
--
Noel Jones
>> The Postfix mail system uses optional lookup tables as described in
>> the DATABASE_README document. Lists of IP addresses can be specified
>> in CIDR (Classless Inter-Domain Routing) form. In this case, a plain
>> text file is the map, with the standard "key whitespace value"
>> format. When a match is found, the corresponding result is returned
>> and the search is terminated.
>> "
>
> That would help. Then so would this:
>
> "To test lookup tables, use the "postmap -q" command as
> described in the SYNOPSIS above for database files. The
> postmap -q will not work on the CIDR file as it is a test file."
Or how about
postmap -q will not work if you use the wrong syntax
Robert Lopez
Now that I understand my suggestion on that point is null and void.
Thanks for the help.
Robert Lopez
On Tue, Apr 6, 2010 at 12:40 PM, Charles Marcus
<CMa...@media-brokers.com> wrote:
> On 2010-04-06 2:35 PM, Robert Lopez wrote:
>> If I remove the .db ile (As Noel points out not necessary) then I get
>> an error because postmap seems to only look in database files:
>>
>> $ postmap -q 222.254.228.0/24 cidr-ip
>> postmap: fatal: open database cidr-ip.db: No such file or directory
>
> Did you miss this from Wietse?
I read it but at the time did not undestand it.
>
> "SYNOPSIS
>> postmap -q "string" cidr:/etc/postfix/filename"
>
> Note the 'cidr:/' prefix to the file path/name?
>
> Noel already pointed out you need to use a single IP as the key...
I have just confirmed that having this line in the file:
222.254.228.0/24 DISCARD
Then then this is working:
$ postmap -q 222.254.228.0 cidr:/etc/postfix/cidr-ip
DISCARD
$ postmap -q 222.254.228.1 cidr:/etc/postfix/cidr-ip
DISCARD
So, now I understand.
>
> --
>
> Best regards,
>
> Charles
Wietse Venema
> On Tue, Apr 6, 2010 at 12:23 PM, Wietse Venema <wie...@porcupine.org> wrote:
> > Robert Lopez:
> > Now that you mention the documentation:
> >
> >> SYNOPSIS
> >>
> >> ? ? ? ?postmap -q - cidr:/etc/postfix/filename <inputfile
> >>
> >> DESCRIPTION
> > ...
> >> ? ? ? ?To test lookup tables, use the ?"postmap ?-q" ?command ?as
> >> ? ? ? ?described in the SYNOPSIS above.
> >
> > It takes some perseverance to find that text.
>
> That is another point that has me confused.
> I have been testing to make certain changes I have made to the access file
> were really there with postmap -q.
The synopsis says: postmap -q "string" cidr:/etc/postfix/filename
> As I originally posted: "An strace of "postmap -q <any-pattern>
> cidr-ip" shows it is the cidr-ip.db file that is being read." by
> postmap.
The synopsis says that you should use cidr:filename.
Wietse
Stan Hoeppner
> Then then this is working:
> $ postmap -q 222.254.228.0 cidr:/etc/postfix/cidr-ip
> DISCARD
> $ postmap -q 222.254.228.1 cidr:/etc/postfix/cidr-ip
> DISCARD
>
> So, now I understand.
Don't feel bad Robert. I went through pretty much the same thing you have
back when I first started using CIDR maps (and many other Postfix features).
Postfix documentation is not a "how-to" as much as it is a concise
definition of each parameter. It takes a while to get used to the style and
flow of the man pages before one can easily digest any given page he/she
pulls up.
How-to guides found via Google et al can really help you figure out your
current issue, plus help you digest the man pages if you cross reference the
how-to and the docs. After a while, you'll understand the terminology and
way the docs work, and you'll be less reliant on the how-to's and books.
Like any _technical_ document, Postfix man pages require the reader to be
familiar with terminology definitions in the document. I have found that
this sometimes requires backtracking through multiple doc sections just to
figure out what the terms in the man page I'm currently looking at mean.
Instead of man pages in a bash console, I usually use:
http://www.postfix.org/postconf.5.html
I use my browser's find-in-current-page function to jump up and down through
this main.cf config doc to find the information I need in order to
understand a given section. This is much more intuitive than jumping back
and forth through multiple man pages in bash. Many things on this page are
hotlinked to other relevant things on the same page which is really nice.
Bookmark this page. I think you'll find it very beneficial. If you find
you still can't understand something, Google it, and you'll often find
something written in a way you can understand it better.
I've been using Postfix since 2005. In the past five years I have learned
(at least) one valuable lesson: Finding and understanding information in
the Postfix documentation requires _patience_ and perserverence. ;)
Someone stated yesterday or the day before that becoming a mail op isn't
easy, it's not for everyone, and the good ones have spent years honing their
knowledge and skills. As I stated, I've been using Postfix for 5 years, and
I'm still a novice WRT most of the features. Welcome to the club. :)
--
Stan