RE: [Exim] host_reject_recipients leaking a few subnets

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Dave C. at <-
MMPhilip Hazel at ->
Delete this message
Reply to this message
Author: Bernard Stern
Date:  
To: exim-users
Subject: RE: [Exim] host_reject_recipients leaking a few subnets
On Wed, 26 Sep 2001 19:13:20 -0400 (EDT) "Dave C." wrote:

> On Wed, 26 Sep 2001, Philip Hazel wrote:

>> On Tue, 25 Sep 2001, Dave C. wrote:
>>
(...)

> Yes, these would definately be specific.

> Basically, I want to reverse the current net lookup - for each item in
> the list, does it match the given IP. If it does, and its not negated,
> break out and the lookup succeeds, if it mathes and its negated, break
> out, the lookup fails.

> Lets say:

> I want to allow anyone in the 10.0.0.0/8 to relay, but not 10.1.2.0/24,
> but I do want to make an exception for 10.1.2.7

> If I could put:

> 10.1.2.7 : ! 10.1.2.0/24 : 10.0.0.0/8

> and 10.1.2.7 would be permitted, anything else in 10.1.2 would fail, but
> then 10.9.9.9 would pass, and anything else would fail - either use the
> same 'fall off the end' logic as with a host list, if not, then an
> explicit global negation could be added:

> 10.1.2.7 : ! 10.1.2.0/24 : 10.0.0.0/8 : ! 0.0.0.0/0

This is exactly how I implemented my perl code (see my yesterday post
on this thread). I would warmly welcome a "native" exim kind of
lookup. As Philip mentionned, a preprocessing is necessary to
obtain a correct sorting of all the items. I took the approach
to do the preprocessing once and then to check the address to match
against the resulting sorted file.
If you think you can use my code, you can have it. However, there
is a lot more in it, because I needed this special kind of lookup
to implement special quotas.

>> If you want to use DBM for some of the lookups, for speed, there is no
>> reason why you couldn't write
>>
>>
>>     !net16-dbm;/some/file : net8-dbm;/some/file : ...

>>
>> where _the same file_ is used in both cases. Exim would do two probes,
>> first with a /16 mask, and then with a /8 mask.
>>
>> You could even include items like this as lines in an included file.
>>
>> ---------
>> [*] To speed up a linear search, I could conceive of some entirely new
>> idea, in which the data is preprocessed in some special way that
>> understands negation and masks. It would have to be very clever and
>> create some kind of partial ordering of the data and some fast way of
>> searching it. This would be a major project, and if anybody implemented
>> it, they should do it as a new free-standing library, because it could
>> be used outside Exim.


Bernard Stern, SWITCH


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-RE: [Exim] alias file for multiple domains & rejecting users with *@xyz.comRe: [Exim] 1.000.000 email delivered in single session->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)