Typo in @client_ipaddr_policy?

Mark Martinec Mark.Martinec+amavis at ijs.si
Wed Apr 4 19:47:56 CEST 2012 

Patrick,

> is '127.0.0.1/8' in your @client_ipaddr_policy example
> in RELEASE_NOTES correct?
> 
>     @client_ipaddr_policy = (
>       [qw( 0.0.0.0/8 127.0.0.1/8 [::] [::1] )]            => 'LOCALHOST',
>       [qw( !172.16.1.0/24 172.16.0.0/12 192.168.0.0/16 )] => 'PRIVATENETS',
>       [qw( 192.0.2.0/25 192.0.2.129 192.0.2.130 )]        => 'PARTNER',
>       \@some_other_networks  => 'OTHER',
>       \@mynetworks           => 'MYNETS',
>     );
> 
> Shouldn't that be 127.0.0.1/32 or 127.0.0.0/8?

Yes, it should be 127.0.0.0/8, although the 127.0.0.1/8 works just as well
in amavis because of the implied CIDR mask which zeroes-out trailing bits.
Now fixed in release notes.

> And what about 0.0.0.0/8. Does that declare the IPv4 namespace to be part of
> the LOCALHOST policy bank?

Yes, the 0.*.*.* belongs to 'this' network:

RFC 5735:

   0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
   network.  Address 0.0.0.0/32 may be used as a source address for this
   host on this network; other addresses within 0.0.0.0/8 may be used to
   refer to specified hosts on this network ([RFC1122], Section
   3.2.1.3).

Such address is not seen in actual TCP sessions, but has a
somewhat special meaning in a context of @client_ipaddr_policy 
(and its component @mynetworks_maps) :

amavisd-new-2.4.5 release notes

- for the purpose of looking up client IP address in @mynetworks_maps,
  treat unknown/unavailable IP address as 0.0.0.0;  this allows treating
  directly submitted mail on the MTA host (not submitted through SMTP) as
  coming from IP address 0.0.0.0 (i.e. "This" Network - according to RFC 1700);

  Note that this is indistinguishable from other reasons when IP address
  is not made available to amavisd, e.g. when smtp_send_xforward_command
  option in Postfix smtp service is not enabled, which is why the default
  setting of @mynetworks does not include a 0.0.0.0/8 network to prevent
  unintentionally loading a MYNETS policy bank.

  One should add 0.0.0.0/8 to a @mynetworks list only when XFORWARD is known
  to work and if some software on the MTA host is submitting its mail to MTA
  directly, e.g. through a sendmail mail submission command (or its lookalike),
  and MYNETS policy bank loading is needed for proper processing of such mail
  (e.g. DKIM signing or adding disclaimers in later versions of amavisd);

amavisd-new-2.6.0 release notes

- in the absence of an smtp client's IP address (normally received by XFORWARD
  smtp command from Postfix, or in the 'client_address' attribute of AM.PDP),
  parse the topmost one or two Received header fields and use the first
  valid IP address found there; based on a suggestion by Richard Bishop;



Tobias Hachmer wrote:
> I think [::], the unspecified ipv6 address which never would be
> assigned by any node also doesn't belong to localhost...

Indeed. But in the same sense as the 0.0.0.0/8 above it is
reasonable to treat it as local by @client_ipaddr_policy.


  Mark

More information about the amavis-users mailing list