Re: Interpreting rejectlog "recipients from..." entries.

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Dr. Rich Artym
Date:  
À: exim-users
Sujet: Re: Interpreting rejectlog "recipients from..." entries.
More on the question of wierd IP-matching specifications like:

> > } sender_net_accept_relay = "204.249.49.0/204.249.50.0" 
>                                             ^^^^^^^^^^^^


Using a network address in the place of a netmask is dangerous. Back
in pre-CIDR days, the network address specified unambiguously both the
network size and the network base address, but with current classless
addressing the network address is no longer sufficient because the
least significant bits of the network part of the network address can
be zeros. Eg. 112.0.0.0/252.0.0.0 specifies a network with two LS
zeros in the network part of the network address, ie. the top byte is
01110000 (network part {011100}) and the netmask top byte is 11111100,
*not* 11110000 as would be determined from the network address alone.
That's why just the network address isn't enough --- we need to know
the netmask or the hostmask or the /netwidth of a network in addition
to its base address.

As a result, constructs like "204.249.49.0/204.249.50.0" are very likely
to be incorrect even if one takes the fairly sensible step of using the
least significant '1'-bit of the RHS address as defining the value
of the corresponding real netmask. It is only by coincidence that the
netmask derived this way would turn out to be the actual netmask of the
network, so accepting such values is a recipe for misinterpretation and
hence misconfiguration of network access control.

If obscure "reject on matching arbitrary bitfield" functionality is
desired then it shouldn't be provided under the title of an otherwise
clear and unambiguous "reject on matching network" option, IMO. So few
people "think binary" that that just leads to confusion and mistakes.
It would be safer to stick to textbook netmasks and netwidths in Exim,
I think.

Rich.
-- 
###########  Dr. Rich Artym  ================  PGP public key available
# galacta #  Email   : rich@???         158.152.156.137
# ->demon #  Web     : http://www.galacta.demon.co.uk  - temp page only
# ->ampr  #  AMPR    : rich@g7exm[.uk].ampr.org 44.131.164.1 BBS:GB7MSW
# ->NTS   #  Fun     : Unix, X, TCP/IP, kernel, O-O, C++, SoftEng, Nano
###########  More fun: Regional IP Coordinator Hertfordshire + N.London



--
* This is sent by the exim-users mailing list.  To unsubscribe send a
    mail with subject "unsubscribe" to exim-users-request@???
* Exim information can be found at http://www.exim.org/