Typo in @client_ipaddr_policy?
Mark Martinec
Mark.Martinec+amavis at ijs.si
Wed Apr 4 19:47:56 CEST 2012
Patrick,
> is '127.0.0.1/8' in your @client_ipaddr_policy example
> in RELEASE_NOTES correct?
>
> @client_ipaddr_policy = (
> [qw( 0.0.0.0/8 127.0.0.1/8 [::] [::1] )] => 'LOCALHOST',
> [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
> [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )] => 'PARTNER',
> \@some_other_networks => 'OTHER',
> \@mynetworks => 'MYNETS',
> );
>
> Shouldn't that be 127.0.0.1/32 or 127.0.0.0/8?
Yes, it should be 127.0.0.0/8, although the 127.0.0.1/8 works just as well
in amavis because of the implied CIDR mask which zeroes-out trailing bits.
Now fixed in release notes.
> And what about 0.0.0.0/8. Does that declare the IPv4 namespace to be part of
> the LOCALHOST policy bank?
Yes, the 0.*.*.* belongs to 'this' network:
RFC 5735:
0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
network. Address 0.0.0.0/32 may be used as a source address for this
host on this network; other addresses within 0.0.0.0/8 may be used to
refer to specified hosts on this network ([RFC1122], Section
3.2.1.3).
Such address is not seen in actual TCP sessions, but has a
somewhat special meaning in a context of @client_ipaddr_policy
(and its component @mynetworks_maps) :
amavisd-new-2.4.5 release notes
- for the purpose of looking up client IP address in @mynetworks_maps,
treat unknown/unavailable IP address as 0.0.0.0; this allows treating
directly submitted mail on the MTA host (not submitted through SMTP) as
coming from IP address 0.0.0.0 (i.e. "This" Network - according to RFC 1700);
Note that this is indistinguishable from other reasons when IP address
is not made available to amavisd, e.g. when smtp_send_xforward_command
option in Postfix smtp service is not enabled, which is why the default
setting of @mynetworks does not include a 0.0.0.0/8 network to prevent
unintentionally loading a MYNETS policy bank.
One should add 0.0.0.0/8 to a @mynetworks list only when XFORWARD is known
to work and if some software on the MTA host is submitting its mail to MTA
directly, e.g. through a sendmail mail submission command (or its lookalike),
and MYNETS policy bank loading is needed for proper processing of such mail
(e.g. DKIM signing or adding disclaimers in later versions of amavisd);
amavisd-new-2.6.0 release notes
- in the absence of an smtp client's IP address (normally received by XFORWARD
smtp command from Postfix, or in the 'client_address' attribute of AM.PDP),
parse the topmost one or two Received header fields and use the first
valid IP address found there; based on a suggestion by Richard Bishop;
Tobias Hachmer wrote:
> I think [::], the unspecified ipv6 address which never would be
> assigned by any node also doesn't belong to localhost...
Indeed. But in the same sense as the 0.0.0.0/8 above it is
reasonable to treat it as local by @client_ipaddr_policy.
Mark
More information about the amavis-users
mailing list