On 28/08/2009 07:42, Dave Evans wrote:
>> I have greylisting set up in Exim without the need for anything external.
>> It doesn't have any allowances for bypassing yet as that is trivial at
>> this point. It is the last thing I have configured in acl_smtp_rcpt before
>> the explicit accept. I understand the implementation only allows the
>> possibility for using one Memcached server. I wouldn't mind if anyone
>> would like to offer any constructive criticism and/or ways to clean up the
>> implementation. The configuration can be found here:
>>
>> http://mail.yournetplus.com/d.hill/exim-greylist-memcached.conf
I'm glad somebody found my ${readsocket} for memcached document useful.
> First impressions...
>
> I'd be wary of using memcached for greylisting. Since there's no
> guarantee that anything you put into the cache will come out again, so any
> memcached-using app should degrade gracefully if that happens. Arguably,
> yours doesn't; if memcached keeps failing to return what was put in, then
> you'll defer forever, which you don't want.
Why would it fail to return what was put in? One thing that I noticed
was that it doesn't check to make sure that the SET command succeeded.
In the document that I wrote it does this:
condition = ${if eq{MEMCACHED_SET}{STORED}}
Yet in the greylist config it does this:
set acl_c_memcache_result = MEMCACHED_SET
But then doesn't check the value of $acl_c_memcache_result anywhere.
> That said:
>
> - only works for IPv4, of course
> - all that mucking about with octets can probably be made a lot simpler by
> using ${mask:
I agree. It would also be more flexible. Rather than specifying the
number of octets you could specify the mask, so instead of 3 octets
you'd specify a mask of 24.
root@haven:~# exim4 -be '${mask:192.168.10.15/24}'
192.168.10.0/24
root@haven:~#
set acl_c_memcache_key =
${mask:$sender_host_address/GREYLIST_IPMASK}:$acl_c_from:$acl_c_rcpt
> - since you're injecting keys straight into a memcached command string you
> should be extra careful about the format of the keys. Currently I think
> your keys can contain spaces (i.e. if the sender and/or recipient contain
> spaces), which I think would be a Bad Thing.
Probably safest to hash the value of the key before using it then, ie:
set acl_c_memcache_key =
${md5:${mask:$sender_host_address/GREYLIST_IPMASK}:$acl_c_from:$acl_c_rcpt}
> - is ${if match{$acl_c_memcache_value}{\N^$\N}}
> equivalent to ${if eq{$acl_c_memcache_value}{}} ?
Yeah.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226)
http://cardwellit.com/
