Re: [exim] Greylisting Within Exim Using Memcached

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Mike Cardwell
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Greylisting Within Exim Using Memcached
On 28/08/2009 07:42, Dave Evans wrote:

>> I have greylisting set up in Exim without the need for anything external.
>> It doesn't have any allowances for bypassing yet as that is trivial at
>> this point. It is the last thing I have configured in acl_smtp_rcpt before
>> the explicit accept. I understand the implementation only allows the
>> possibility for using one Memcached server. I wouldn't mind if anyone
>> would like to offer any constructive criticism and/or ways to clean up the
>> implementation. The configuration can be found here:
>>
>>       http://mail.yournetplus.com/d.hill/exim-greylist-memcached.conf


I'm glad somebody found my ${readsocket} for memcached document useful.

> First impressions...
>
> I'd be wary of using memcached for greylisting. Since there's no
> guarantee that anything you put into the cache will come out again, so any
> memcached-using app should degrade gracefully if that happens. Arguably,
> yours doesn't; if memcached keeps failing to return what was put in, then
> you'll defer forever, which you don't want.


Why would it fail to return what was put in? One thing that I noticed
was that it doesn't check to make sure that the SET command succeeded.
In the document that I wrote it does this:

condition = ${if eq{MEMCACHED_SET}{STORED}}

Yet in the greylist config it does this:

set acl_c_memcache_result = MEMCACHED_SET

But then doesn't check the value of $acl_c_memcache_result anywhere.

> That said:
>
>   - only works for IPv4, of course
>   - all that mucking about with octets can probably be made a lot simpler by
>     using ${mask:


I agree. It would also be more flexible. Rather than specifying the
number of octets you could specify the mask, so instead of 3 octets
you'd specify a mask of 24.

root@haven:~# exim4 -be '${mask:192.168.10.15/24}'
192.168.10.0/24
root@haven:~#

set acl_c_memcache_key =
${mask:$sender_host_address/GREYLIST_IPMASK}:$acl_c_from:$acl_c_rcpt

>   - since you're injecting keys straight into a memcached command string you
>     should be extra careful about the format of the keys.  Currently I think
>     your keys can contain spaces (i.e. if the sender and/or recipient contain
>     spaces), which I think would be a Bad Thing.


Probably safest to hash the value of the key before using it then, ie:


set acl_c_memcache_key =
${md5:${mask:$sender_host_address/GREYLIST_IPMASK}:$acl_c_from:$acl_c_rcpt}

>   - is ${if match{$acl_c_memcache_value}{\N^$\N}}
>     equivalent to ${if eq{$acl_c_memcache_value}{}}  ?


Yeah.

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/