Koozali.org formerly Contribs.org

White list range of addresseses with Email WBL contrib

White list range of addresseses with Email WBL contrib
« on: January 13, 2015, 07:47:22 PM »
Is there a way to whitelist a range of IP addresses? I tried x.x.x.x/yy but it doesn't seem to be working. I don't see anything in the wiki either: http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

Is there a special syntax to specify an entire range?  The range I need contains 4096 addresses so I'm a bit reluctant to enter them in each separately :-P

Offline ReetP

  • *
  • 1,502
Re: White list range of addresseses with Email WBL contrib
« Reply #1 on: January 14, 2015, 04:34:47 PM »
Hi,

you are stepping into to uncharted territory here :-)

First, there are issues with the wbl contrib working correctly with dnsbl/whitelists

See these two bugs :

V8
http://bugs.contribs.org/show_bug.cgi?id=8327

v9
http://bugs.contribs.org/show_bug.cgi?id=8747

I believe that qpsmtpd *should* work by default with whitelisted IP addresses (the patch only fixes domain names and individual senders).

However, I am not sure of a format for subnetting. Documentation for plugins is sparse online.

The place to look is in /usr/share/qpsmtpd/whitelistsoft

"=item whitelisthosts

Any IP address (or start-anchored fragment thereof) listed in the
whitelisthosts file is exempted from any further validation during
'connect', and can be selectively exempted at other stages by
plugins testing for a 'whitelisthost' connection note.

Similarly, if the environment variable $WHITELISTCLIENT is set
(which can be done by tcpserver), the connection will be exempt from
further 'connect' validation, and the host can be selectively
exempted by other plugins testing for a 'whitelistclient' connection
note."

Damned if I now what a "start-anchored fragment" is !

The bit of code that does the checking is this :

Code: [Select]
  my $config_arg = $self->{_per_recipient} ? { rcpt => $rcpt, %MERGE } : {};
  for my $h ($self->qp->config('whitelisthosts', $config_arg)) {
    if ($h eq $ip or $ip =~ /^\Q$h\E/) {
      $self->qp->connection->notes('whitelisthost', 1);
      $self->log(2,"host $ip is a whitelisted host");
      return OK;

But how or what it checks I have no idea ! I have a feeling that this part checks for the start of the IP block :

Code: [Select]
$ip =~ /^\Q$h\E/
I guess if you were trying to block say :

192.168.10.*

You could try just

192.168.10

I'll try and test that bit and see what it gives as a result unless anyone else knows ?

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 1,502
Re: White list range of addresseses with Email WBL contrib
« Reply #2 on: January 14, 2015, 04:45:51 PM »
Yes, it seems that it matches from the left hand side of the IP so

192.168.0.1
Will only pick up 192.168.0.1

192.168.0
Will pick up 192.168.0.0-255

192.168
Will pickup 192.168.0.0 - 192.168.255.255

Please let us know if this is the case and we can add some notes to the wiki

To test this I did :

Code: [Select]
touch IPTest.pl
Copy in the following :

Code: [Select]
#!/usr/bin/perl

use strict;

# $mask is the mask
my $mask = "192.168.0";

# $ip is an IP you are trying to block
my $ip = "192.168.0.2";

if ($mask eq $ip) {
print "ip is equal to mask";
}

if ($ip =~ /^\Q$mask\E/) {
print "ip is in mask";
}

then

Code: [Select]
Perl IPTest.pl
(or even better step it through a debugger !)

Hope that makes sense, and helps

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: White list range of addresseses with Email WBL contrib
« Reply #3 on: January 14, 2015, 05:19:50 PM »
Thanks John.  The subnet I am trying to whitelist isn't a clean split on an octet (64.235.144.0/20), which means the following IP are all valid:

64.235.144.15
64.235.147.118
64.235.159.81

I could whitelist on just 64.235.1 but it would be a little too big. Earlier today, I put in all 4096 addresses. So far the server hasn't exploded. Now that I think about it, I could put in an entry for each unique set of the first three octets. That would be a lot less than 4096 :smile:

Offline ReetP

  • *
  • 1,502
Re: White list range of addresseses with Email WBL contrib
« Reply #4 on: January 14, 2015, 05:33:40 PM »
No problems - I'm quite amazed I knew enough to answer :-)

Yes I think that if you can't do it in one block then split it down to manageable chunks. Saves typing them all manually..... and will be much faster for checking as the script first checks for an identical match, and failing that for a block. If you have a dozen blocks it will be a damn site more rapid than thousands of individuals.

We ought to document this somewhere as it isn't that obvious - I'll raise a bug for it.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: White list range of addresseses with Email WBL contrib
« Reply #5 on: January 14, 2015, 06:08:02 PM »
Damned if I now what a "start-anchored fragment" is !

I think you worked it out. It's a regular expression which uses a ^ anchor, but not a $ anchor. See the code that you quoted.

Quote
I guess if you were trying to block say :

192.168.10.*

You could try just

192.168.10

No, you would use:

192.168.10.

Without the trailing . you will match 192.168.100 through 192.168.109.

Offline ReetP

  • *
  • 1,502
Re: White list range of addresseses with Email WBL contrib
« Reply #6 on: January 14, 2015, 06:20:46 PM »
I think you worked it out. It's a regular expression which uses a ^ anchor, but not a $ anchor. See the code that you quoted.

New one on me - only anchors I know are large heavy things you throw off the front of your vessel :-) Have some nice anecdotes on the subject from my seafaring days ....

Quote
No, you would use:

192.168.10.

Without the trailing . you will match 192.168.100 through 192.168.109.

Ahhhhhh.........

Thanks Charlie.

reetp rushes off to fix the wiki again..... :-)

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 1,502
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation