Mailing List Archive

[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #17 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
Created attachment 1372
--> https://bugs.exim.org/attachment.cgi?id=1372&action=edit
Patch to make valid lookup result addresses configurable

I've created a patch to make this configurable.

It could be used as follows:
dnslist_valid_addresses = ${if match{$dnslist_domain\
}{\N.spamhaus.org$\N}{!127.255.255.0/24 : }}127.0.0.0/8

A more flexible expansion would be to lookup the $dnslist_domain in a file:
*.spamhaus.org: !127.255.255.0/24 : 127.0.0.0/8

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #18 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
There's a bug in the existing implementation because $dnslist_value will
contain all returned addresses, including the invalid ones.

I'll fix it in my patch and do the validation once up front.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

Simon Arlott <bugzilla.exim.simon@arlott.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #1372|0 |1
is obsolete| |

--- Comment #19 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
Created attachment 1373
--> https://bugs.exim.org/attachment.cgi?id=1373&action=edit
Patch to make valid lookup result addresses configurable

I've modified my patch to return DEFER if the dnslist_valid_addresses expansion
fails.

There was another bug in the current implementation because it doesn't verify
addresses when doing exact matching but those can be negated:
>>> check dnslists = rbl.test.ex!=127.0.0.1
>>> dnslists check: rbl.test.ex!=127.0.0.1
>>> dnslists: using result of previous lookup
>>> DNS lookup for 102.13.13.V4NET.rbl.test.ex succeeded (yielding 128.0.0.0)
->>> => that means V4NET.13.13.102 is listed at rbl.test.ex
->>> warn: condition test succeeded in ACL "check_vrfy"
->>> processing "warn" (TESTSUITE/test-config 27)
+>>> 128.0.0.0 in dnslist_valid_addresses? no (end of list)
+LOG: DNS list lookup for V4NET.13.13.102 at rbl.test.ex returned 128.0.0.0;
invalid address discarded
+>>> => all addresses are invalid
+>>> => that means V4NET.13.13.102 is not listed at rbl.test.ex
+>>> warn: condition test failed in ACL "check_vrfy"

I'm now updating the address list so that $dnslist_value will be correct:
>>> check dnslists = rbl.test.ex!=127.0.0.1
>>> dnslists check: rbl.test.ex!=127.0.0.1
>>> dnslists: using result of previous lookup
>>> DNS lookup for 104.13.13.V4NET.rbl.test.ex succeeded (yielding
255.255.255.255, 127.0.0.0)
+>>> 255.255.255.255 in dnslist_valid_addresses? no (end of list)
+LOG: DNS list lookup for V4NET.13.13.104 at rbl.test.ex returned
255.255.255.255; invalid address discarded
+>>> 127.0.0.0 in dnslist_valid_addresses? yes (matched "127.0.0.0/8")
+>>> => updated address list: 127.0.0.0
>>> => that means V4NET.13.13.104 is listed at rbl.test.ex
>>> warn: condition test succeeded in ACL "check_vrfy"

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2631] Option to restrict dnslists to specific networks and log a warning if they return IP addresses outside this range [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2631

--- Comment #20 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
Here's a complete example with a lookup file
/etc/exim/invalid-dnslist-addresses:
*.spamhaus.org: !127.255.255.0/24
*.dnswl.org: !127.0.0.255

Configure:
dnslist_valid_addresses = ${lookup{$dnslist_domain}partial1-lsearch{\
/etc/exim/invalid-dnslist-addresses}{$value : }}127.0.0.0/8

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##