Milter-greylist

After some period of time, milter-greylist seems to forget/corrupt its 
whitelist.

acl whitelist domain /or\.uspops\.net$/
acl whitelist addr 64.28.48.0/20

Dec 13 11:07:32 budget.net milter-greylist: jBDJ7UCO017852: addr 64.28.60.70 from <roguejim@...> to <anneh@...> delayed for 00:27:58

After a restart (I did not touch or edit or do anything to 
milter-greylist configuration files, I simply restarted the daemon):

Dec 13 11:10:41 budget.net milter-greylist: jBDJAb5q012595: skipping greylist because sender DNS name dialup-ras24-70.eug.or.uspops.net is whitelisted, (from=<roguejim@...>, rcpt=<anneh@...>, addr=64.28.60.70)

-Dan

Dan Hollis wrote on Tue, 13 Dec 2005 11:20:41 -0800 (PST):

> acl whitelist domain /or\.uspops\.net$/

That's probably not the cause for forgetting that setting, but I don't see 
a reason to use regexp here.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl wrote:
> Dan Hollis wrote on Tue, 13 Dec 2005 11:20:41 -0800 (PST):
> 
> 
>>acl whitelist domain /or\.uspops\.net$/
> 
> 
> That's probably not the cause for forgetting that setting, but I don't see 
> a reason to use regexp here.

Well, there is some advantage to using the regex here.

acl whitelist domain or.uspops.net will match "for.uspops.net.com" but the regex
above will not.

In this case it is probably not necessary, but the regex is a more restrictive
rule for that reason.

Matt Kettler wrote on Tue, 13 Dec 2005 18:02:37 -0500:

> acl whitelist domain or.uspops.net will match "for.uspops.net.com" but the regex 
> above will not.

If it really works this way it doesn't work as I expect it to work. A domain 
literal is not a regex. Documentation says only strings with // around them are 
processed as regex. "example.net" may match for example.net and any subdomain of 
it, but it should not match example.net.whatever. That is how matches in sendmail 
and other black/whitelists I know work. And milter-greylist seems to work just like 
this. 
So "acl whitelist example.net" is just enough. As I understand regex would only be 
necessary if you need complex matching, f.i. /pool\..*\.verizon\.net/

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl wrote:
> Matt Kettler wrote on Tue, 13 Dec 2005 18:02:37 -0500:
> 
> 
>>acl whitelist domain or.uspops.net will match "for.uspops.net.com" but the regex 
>>above will not.
> 
> 
> If it really works this way it doesn't work as I expect it to work. A domain 
> literal is not a regex. 

That's correct. It isn't a regex.

> Documentation says only strings with // around them are 
> processed as regex.

True, only // are treated as regex.

> "example.net" may match for example.net and any subdomain of 
> it, but it should not match example.net.whatever. That is how matches in sendmail
> and other black/whitelists I know work. And milter-greylist seems to work just like 
> this. 

Are you sure? It isn't a regex, but that doesn't mean it can't be a substring
match, and substrings WILL match in the middle.

I'm pretty sure that milter-greylist does substring-matching, not end-of-string
matching.

Matt Kettler wrote on Wed, 14 Dec 2005 12:05:13 -0500:

> Are you sure? It isn't a regex, but that doesn't mean it can't be a substring 
> match, and substrings WILL match in the middle. 
>  
> I'm pretty sure that milter-greylist does substring-matching, not end-of-string 
> matching.

Surprise, it doesn't do neither of this. I just checked the code and what it does 
is a 1:1 c-style comparison (domaincmp() in acl.c). So, it only matches *exactly*, 
nothing else. If I want to include subdomains I better put them in ;-) Anyway, for 
now I have been using IP addresses only.
Regex matching is done by regexec() which must be provided by some external 
library. I'm not familiar with Linux libaries, so I don't know how it exactly 
works, but I assume your explanation above applies, so *if* a regex is used a $ at 
the end might be handy.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com