Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

questions about ldapcheck

2011-04-28 by Benoit Branciard

I spent a couple of hours trying to figure out how "ldapcheck" works, 
and I'm still dubious.

I'm working on milter-greylist "stable" (4.2.7), compiled on Debian 
Squeeze x86

configure options: --prefix=/usr/local --bindir=/usr/local/sbin 
--sysconfdir=/etc --localstatedir=/var/lib --enable-dnsrbl 
--with-libspf2=/usr --with-conffile=/etc/mail/greylist.conf 
--with-dumpfile=/var/lib/milter-greylist/greylist.db 
--with-libcurl=/usr --with-openldap

(for information: the libspf I use is a patched 1.2.5 version with a 
corrected IPv6 bug, and the libmilter is the libmilter0 "etch" package, 
since I couldn't manage to get configure recognize the squeeze 
libmilter1 package).


After digging in the source code, I found out that ldapcheck clauses 
always returns false (0). So the only effect of an ldapcheck is to 
gather properties (The presence of milterGreylistStatus=TRUE or 
milterGreylist*=* attributes in the LDAP reply does not imply success, 
unlike urlcheck does).

Maybe this could be specified in the greylist.conf manual page ?


Besides that, I came into trouble when attempting to test gathered 
properties. For example:

ldapcheck "myBlackList" 
"ldap:///cn=my,dc=ldap,dc=base?milterGreylistStatus?sub?(myBlackMail=%f)" clear

acl blacklist ldapcheck "myBlackList"
acl blacklist $milterGretlistStatus "TRUE" code "451" ecode "4.7.1" msg 
"blacklisted due to abuse"


The "acl blacklist $milterGretlistStatus" is never hit, even if the 
ldapcheck returns an entry with an attribute milterGretlistStatus=TRUE.

(to be sure, I activated "verbose" in greylist.conf, and got
	milter-greylist: got prop $milterGreylistStatus = "TRUE"
in my maillog.)

Sorry, I didn't take time to track this in the source code for now...


Moreover, ldapcheck seems to be quite unstable: milter-greylist crashed 
several times a day since I began to test urlchecks, although it worked 
perfectly for several months before, without any crash nor memory leaks.

greylist.conf file reload after update seems to be a frequent crash 
condition (although the new file has been verified bu "milter-greylist 
-c" before being renamed).


About ldapcheck returning always 0:

I tested a small modification of ldapcheck.c (see patch below, which 
also includes some additional debug messages), to get ldapcheck return 
true if the LDAP query returns at least one entry, and false otherwise, 
whatever attributes are returned. This works well, and permits simple 
LDAP entry presence tests, such as recipient validity:

ldapcheck "validUser" "ldap:///cn=my,dc=ldap,dc=base??sub?(mail=%r)"
acl blacklist not ldapcheck "ValidUser" code "550" ecode "5.1.1" msg 
"User unknown"


But applying this patch to the distribution would change the behaviour 
of ldapcheck, thus potentially breaking config for those who already 
(successfully ?) used ldapchecks.

For now with unpatched ldapcheck.c, the above example should work with 
(if I'm right):

ldapcheck "validUser" "ldap:///cn=my,dc=ldap,dc=base?mail?sub?(mail=%r)" 
clear
acl blacklist ldapcheck "ValidUser"
acl blacklist $mail "" code "550" ecode "5.1.1" msg "User unknown"

but this doesn't... ?


Here is the patch to ldapcheck.c to return success in case of found LDAP 
entry:

--- ldapcheck.c.0	2009-04-09 05:26:46.000000000 +0200
+++ ldapcheck.c	2011-04-28 14:54:45.000000000 +0200
@@ -413,6 +413,9 @@
  		goto bad;	
  	}

+	/* query successful: clear error status */
+	retval = 0;
+	
  	/*
  	 * Extract results
  	 */
@@ -422,16 +425,26 @@
  		BerElement *ber = NULL;
  		char *attr = NULL;

+		/* found entry: return success */
+		retval = 1;
+
+		if (conf.c_debug)
+			mg_log(LOG_DEBUG, "ldapcheck: got entry\n");
+	
  		for (attr = ldap_first_attribute(lc->lc_ld, res, &ber);
  		     attr != NULL;
  		     attr = ldap_next_attribute(lc->lc_ld, res, ber)) {
  			char **vals = NULL;
  			char **val = NULL;
  			
+			if (conf.c_debug)
+				mg_log(LOG_DEBUG, "ldapcheck: got attribute %s\n", attr);
+			
  			vals = ldap_get_values(lc->lc_ld, res, attr);
  			if (vals == NULL) {
  				mg_log(LOG_ERR, "ldap_get_values for URL \"%s\""
  						"returns vals = NULL", url);
+				retval = -1;
  				goto bad;
  			}

@@ -446,7 +459,6 @@
  			ber_free(ber, 0);
  	}

-	retval = 0;
  bad:
  	if (res0)
  		ldap_msgfree(res0);
@@ -469,6 +481,9 @@
                      tv3.tv_sec, tv3.tv_usec);
          }

+	if (conf.c_debug)
+		mg_log(LOG_DEBUG, "ldapcheck return status is %d\n", retval);
+
  	return retval;
  }



-- 
Benoit BRANCIARD

CRIR - SIS
Centre de Ressources Informatiques et du R\ufffdseau,
Service Infrastructures
http://crir.univ-paris1.fr
Universit\ufffd Paris 1 Panth\ufffdon-Sorbonne

Tel. 01 44 07 89 68

-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.