[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug in policy checking - is it fixed?



> Matti,
> 
> I think this is rather the coding issue.  In your case, the fact that
> you make DNS verification saves you.  If you have the entry of the form
> 
> [your.ip.address.0]/24 fulltrustnet +
> 
> DNS lookup is not performed and the "mail from" address of the form
> <somebody@[your.ip.address.anything]> apparently triggers fulltrustnet
> status while it obviously should not.

	Quite, like you can see from my another answer.

	The "fulltrustnet +" is IP address related tests, which
	should only be used at the connect time tests, never at
	MAIL FROM, or RCPT TO tests.

...
> mail from:<crosser@[194.67.3.135]>
> 250 2.1.0 Sender syntax Ok
> rcpt to:<a@aol.com>
> 250 2.1.5 Recipient address syntax Ok
> quit
> 221 2.0.0 chronos Out
> 
> This is in my policy:
> 
> online.ru = _full_rights
> [194.67.0.0]/18 = _full_rights
> _full_rights    rejectnet - fulltrustnet + relaytarget +
> 
> Note that despite _full_rights is assigned to both "online.ru" and
> IP address, mail from @online.ru does not trigger relaying.

	Quite so, because domain test (@online.ru) does not look
	for 'fulltestnet +', nor for 'rejectnet -' attributes.

> Eugene

/Matti Aarnio