Mailing List Archive

[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #1 from Jeremy Harris <jgh146exb@wizmail.org> ---
It's possible to use "!&127.255.255.0" which does take out 255.0/8.
Is there sufficient agreement among dnsbl operators to choose something as a
new default for filtering?

Spamhaus list as return ranges 127.0.0.0/24, 127.0.1.0/24, 127.0.2.0/24 for
hits.
Sorbs list return codes in the range 127.0.0.0/28

Then there's the logging side of the issue. Maybe a new log_selector?

But Spamhaus also returns values in 127.255.255.0/24 to indicate non-match
internal error cases. Should we care for logging, or leave the checking of
the returned value/s to the sysadmin?


--
RFC 6471 says:
- "most" ip-based dbsbls support queries for addrs in 127.0.0.0/24 (often
127.0.0.2)
to test operational status
- responses outside 127.0.0.0/24 should be taken as indication of non-function
- name-based dnsbls RECOMMENDED to support queries for "test" for operational
status; and a query for "INVALID" getting a positive response should be taken
as
indication of non-function

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #2 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
(In reply to Jeremy Harris from comment #1)
> It's possible to use "!&127.255.255.0" which does take out 255.0/8.

This just isn't practical. I adjust the dnslists by local part so there's a lot
of additional complexity in doing this, not to mention the bitmask calculations
involved in making sure that it does what it's intended to do.

A way to define dnslists by a short name ("begin dnslists") would make it
easier
to configure them with multiple zones, inclusion/exclusion masks on separate
config lines and display names for the zones to hide API keys. That's probably
the topic of another wishlist entry but it could also be used to specify
address
ranges that are errors (!127.0.0.0/8) or warnings (127.255.255.0/24).

> Is there sufficient agreement among dnsbl operators to choose something as a
> new default for filtering?

At a minimum, 127.0.0.0/8.

> But Spamhaus also returns values in 127.255.255.0/24 to indicate non-match
> internal error cases. Should we care for logging, or leave the checking of
> the returned value/s to the sysadmin?

I would just add that range to the list of disallowed addresses in my
config because no other dnslist is using them.

> RFC 6471 says:
> - "most" ip-based dbsbls support queries for addrs in 127.0.0.0/24 (often
> 127.0.0.2)
> to test operational status
> - name-based dnsbls RECOMMENDED to support queries for "test" for operational
> status; and a query for "INVALID" getting a positive response should be
> taken as
> indication of non-function

It could be beneficial for Exim to do this periodically but I'm more concerned
with lists that start returning wildcard non-dnslist responses.

> - responses outside 127.0.0.0/24 should be taken as indication of
> non-function

There are lists where this isn't true.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

Lena <Lena@lena.kiev.ua> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |Lena@lena.kiev.ua

--- Comment #3 from Lena <Lena@lena.kiev.ua> ---
zz.countries.nerd.dk returns country code in the range 127.0.0.4 - 127.0.3.126

I use it:

deny message = I don`t accept mail from China,HongKong,Taiwan, Korea, \
Vietnam because too many admins there do not care \
about outgoing spam. Your \
IP-address seems to belong to: $dnslist_text.
dnslists = zz.countries.nerd.dk=127.0.0.156,127.0.1.88,127.0.0.158,\
127.0.1.154,127.0.2.192

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
Decided to go with a hardwired check for 127.0.0.0/8 - there doesn't seem to be
need for making it configurable at this time.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #5 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
Now that I'm aware of it, it would be useful to handle 127.255.255.0/24 too:
https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update

Better than rejecting all mail because of a warning response.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #6 from Jeremy Harris <jgh146exb@wizmail.org> ---
Can't do that as a general thing, as it is Spamhaus-specific.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #7 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
I know; but if you make it configurable as a global host list it will be
possible to change it.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #8 from Jeremy Harris <jgh146exb@wizmail.org> ---
If you want to get fancy, $dnslist_value has the lookup result. Given that,
you
can code what you want.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #9 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/cebf4027931177cc70106a84e19705f2085a09f5

commit cebf4027931177cc70106a84e19705f2085a09f5
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Mon Aug 10 22:28:48 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Mon Aug 10 23:45:11 2020 +0100

dnslists: hardwired return value check. bug 2631
----
doc/doc-txt/ChangeLog | 4 +
src/src/dnsbl.c | 33 ++-
test/confs/0139 | 1 +
test/confs/0509 | 4 +-
test/dnszones-src/db.test.ex | 11 +
test/log/0509 | 3 +-
test/scripts/0000-Basic/0139 | 25 ++
test/stderr/0139 | 597 ++++++++++++++++++++++++++++++++++++++++---
test/stdout/0139 | 48 ++++
9 files changed, 689 insertions(+), 37 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #10 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
(In reply to Jeremy Harris from comment #8)
> If you want to get fancy, $dnslist_value has the lookup result. Given that,
> you can code what you want.

Exim only returns the result of the first dnslist. Also, if I do that you're
now filtering access to 127/8 results so I can't ignore any remaining results.
Any invalid result means the dnslist can't be trusted.

I don't understand why (in an application that has specific config format
support for lists of IP addresses) that you would hard code this.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##