Re: [exim] Greylisting Within Exim Using Memcached

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Duane Hill
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] Greylisting Within Exim Using Memcached
On Fri, 28 Aug 2009, Mike Cardwell wrote:

> On 28/08/2009 07:42, Dave Evans wrote:
>
>>> I have greylisting set up in Exim without the need for anything external.
>>> It doesn't have any allowances for bypassing yet as that is trivial at
>>> this point. It is the last thing I have configured in acl_smtp_rcpt before
>>> the explicit accept. I understand the implementation only allows the
>>> possibility for using one Memcached server. I wouldn't mind if anyone
>>> would like to offer any constructive criticism and/or ways to clean up the
>>> implementation. The configuration can be found here:
>>>
>>>       http://mail.yournetplus.com/d.hill/exim-greylist-memcached.conf

>
> I'm glad somebody found my ${readsocket} for memcached document useful.
>
>> First impressions...
>>
>> I'd be wary of using memcached for greylisting. Since there's no
>> guarantee that anything you put into the cache will come out again, so any
>> memcached-using app should degrade gracefully if that happens. Arguably,
>> yours doesn't; if memcached keeps failing to return what was put in, then
>> you'll defer forever, which you don't want.
>
> Why would it fail to return what was put in? One thing that I noticed
> was that it doesn't check to make sure that the SET command succeeded.
> In the document that I wrote it does this:
>
> condition = ${if eq{MEMCACHED_SET}{STORED}}


I have changed the set acl variable back to a condition. I was going to do
that and it slipped my mind. Now, if there is an error in storing. a
sender host will not get arbitrarily greylisted.

> Yet in the greylist config it does this:
>
> set acl_c_memcache_result = MEMCACHED_SET
>
> But then doesn't check the value of $acl_c_memcache_result anywhere.
>
>> That said:
>>
>>   - only works for IPv4, of course
>>   - all that mucking about with octets can probably be made a lot simpler by
>>     using ${mask:

>
> I agree. It would also be more flexible. Rather than specifying the
> number of octets you could specify the mask, so instead of 3 octets
> you'd specify a mask of 24.
>
> root@haven:~# exim4 -be '${mask:192.168.10.15/24}'
> 192.168.10.0/24
> root@haven:~#
>
> set acl_c_memcache_key =
> ${mask:$sender_host_address/GREYLIST_IPMASK}:$acl_c_from:$acl_c_rcpt
>
>>   - since you're injecting keys straight into a memcached command string you
>>     should be extra careful about the format of the keys.  Currently I think
>>     your keys can contain spaces (i.e. if the sender and/or recipient contain
>>     spaces), which I think would be a Bad Thing.

>
> Probably safest to hash the value of the key before using it then, ie:
>
>
> set acl_c_memcache_key =
> ${md5:${mask:$sender_host_address/GREYLIST_IPMASK}:$acl_c_from:$acl_c_rcpt}


Ok. It now uses an MD5 hash.

>>   - is ${if match{$acl_c_memcache_value}{\N^$\N}}
>>     equivalent to ${if eq{$acl_c_memcache_value}{}}  ?

>
> Yeah.



Thanks for all the input.