DevHeads.net

Lookup tables

Hi,

In the online documentation for access tables
(<a href="http://www.postfix.org/access.5.html" title="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a>), it says:

Subnetworks are matched by repeatedly truncating
the last ".octet" from the remote IPv4 host address
string until a match is found in the access table, or
until further truncation is not possible.

This is supposedly subject only to the restriction that the table is an
indexed file "such as DB or DBM".

I have the following client_access table:
5.188.9 REJECT WebShield Network trying to hack Dovecot
2018-05-10 - test
5.188.9.1 REJECT WebShield Network trying to hack Dovecot 2018-05-10

I compile the table to create client_access.db:
# postmap client_access

I then try:
# postmap -q 5.188.9.2 client_access
[no output]

# postmap -q 5.188.9.1 client_access
REJECT WebShield Network trying to hack Dovecot 2018-05-10

The behaviour of postmap seems to be at odds with the documentation;
specfically, it does not seem to be possible to match an address against
an address-prefix in the table. Am I misunderstanding the docs, or do
they need fixing?

I haven't tried any of the other indexed lookup types; is there some
other table type that works properly? Do I need to test them all to see
if they comply with the docs?

Thanks,

Comments

Re: Lookup tables

By Wietse Venema at 05/14/2018 - 07:13

Postfix will query hash (btreem, dbm, lmdb, ldap, etc.) table
multiple times, first with the full IP address and then with prefixes
of the IP address. With your example of 5.188.9.2 the queries would
be:

5.188.9.2
5.188.9

There would be more queries if there is no match.

(with cidr, pcre, and regexp tables there would be only one lookup).

The postmap command does not make all the queries that I described
above. You will have to do that instead.

Wietse

Re: Lookup tables

By jack at 05/14/2018 - 08:03

Mike, I had:

# postconf smtpd_client_restrictions
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/client_access,
permit_sasl_authenticated

On 14/05/2018 12:13, Wietse Venema wrote:
Aaaah. Light dawns. So the prefix match should be working in postfix,
even if it doesn't work in postmap. That's not what I thought I
observed; but I didn't test postfix thoroughly, because it was easier to
test postmap. Oh well!
Non-indexed tables will no doubt be less efficient, beyond some
threshold dataset size. And those table-types are memory-resident, AIUI,
so there would be a memory-hit for large tables.

Anyway, thanks for clearing this up.

Re: Lookup tables

By Mike Guelfi at 05/14/2018 - 07:00

postmap is a lookup management tool; doing a query on an IP in a
subnet isn't going to succeed.

You probably just forgot to enable client_access or reload postfix

What does this return?
# postconf smtpd_client_restrictions

Default is:
smtpd_client_restrictions =

enabled would be:
smtpd_client_restrictions = check_client_access hash:/path/to/client_access

Quoting jack < ... at jackpot dot uk.net>:

Re: Lookup tables

By jack at 05/14/2018 - 07:54

# postconf smtpd_client_restrictions
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/client_access,
permit_sasl_authenticated

On 14/05/2018 12:00, Mike Guelfi wrote:

Re: Lookup tables

By jack at 05/14/2018 - 06:41

Sorry - I should have said:

Postfix 2.11.3, running on Debian Jessie.

Also, I ran these tests using postmap when it became apparent to me that
postfix itself was not matching address prefixes in hash tables.

On 14/05/2018 11:18, jack wrote: