Loading ...
Sorry, an error occurred while loading the content.

reject_rbl_client syntax problem: fatal: RBL reply error: missing "]" character

Expand Messages
  • martijn.list
    It s probably my misunderstanding on the reject_rbl_client syntax but if I use the following reject_rbl_client configuration , the mail logs tells me that the
    Message 1 of 6 , Dec 10, 2012
    • 0 Attachment
      It's probably my misunderstanding on the reject_rbl_client syntax but if
      I use the following reject_rbl_client configuration , the mail logs
      tells me that the reject_rbl_client syntax is invalid:

      reject_rbl_client example.com=[127;128].0.0.1

      I use this as a restriction in smtpd_recipient_restrictions:

      smtpd_recipient_restrictions = permit_mynetworks
      reject_unauth_destination reject_rbl_client example.com=[127;128].0.0.1

      Upon receiving an email I get the following error in the mail log:

      fatal: RBL reply error: missing "]" character

      Somehow the [127;128] part is not correct. If I for example change this
      to 127.0.0.[1;2] then it works.

      Could it be that postfix thinks that [127;128] is an IP address with mx
      lookup disabled?

      I'm using Postfix 2.9.3

      Kind regards,

      Martijn Brinkers
    • Wietse Venema
      ... There was an off-by-one error while stripping the optional [] around a DNS[BW]L address pattern (a user-friendliness feature). This part of the code is
      Message 2 of 6 , Dec 10, 2012
      • 0 Attachment
        martijn.list:
        > It's probably my misunderstanding on the reject_rbl_client syntax but if
        > I use the following reject_rbl_client configuration , the mail logs
        > tells me that the reject_rbl_client syntax is invalid:
        >
        > reject_rbl_client example.com=[127;128].0.0.1
        >
        > I use this as a restriction in smtpd_recipient_restrictions:
        >
        > smtpd_recipient_restrictions = permit_mynetworks
        > reject_unauth_destination reject_rbl_client example.com=[127;128].0.0.1
        >
        > Upon receiving an email I get the following error in the mail log:
        >
        > fatal: RBL reply error: missing "]" character

        There was an off-by-one error while stripping the optional [] around
        a DNS[BW]L address pattern (a user-friendliness feature). This
        part of the code is not documented and had escaped testing.
        Patch is attached.

        Wietse
      • Stan Hoeppner
        ... No, it s your misunderstanding of the dnsbl reply syntax. ... Please demonstrate a dnsbl that responds with 128.x.x.x It s a trick question. You can t.
        Message 3 of 6 , Dec 10, 2012
        • 0 Attachment
          On 12/10/2012 2:38 AM, martijn.list wrote:
          > It's probably my misunderstanding on the reject_rbl_client syntax

          No, it's your misunderstanding of the dnsbl reply syntax.

          > reject_rbl_client example.com=[127;128].0.0.1
          >
          > I use this as a restriction in smtpd_recipient_restrictions:
          >
          > smtpd_recipient_restrictions = permit_mynetworks
          > reject_unauth_destination reject_rbl_client example.com=[127;128].0.0.1

          Please demonstrate a dnsbl that responds with 128.x.x.x

          It's a trick question. You can't. 128.x.x.x is a valid IPv4 network
          and cannot be used generically because it is not reserved. The first
          "d" in "d.d.d.d" is always "127" per the dnsbl standard.

          Brush up on your dnsbl foo mate.

          --
          Stan
        • martijn.list
          ... Calm down :) It was just an experiment not using a real world RBL (using my own private DNS just for testing) when I noticed that if the first part of the
          Message 4 of 6 , Dec 11, 2012
          • 0 Attachment
            On 12/11/2012 04:17 AM, Stan Hoeppner wrote:
            > On 12/10/2012 2:38 AM, martijn.list wrote:
            >> It's probably my misunderstanding on the reject_rbl_client syntax
            >
            > No, it's your misunderstanding of the dnsbl reply syntax.
            >
            >> reject_rbl_client example.com=[127;128].0.0.1
            >>
            >> I use this as a restriction in smtpd_recipient_restrictions:
            >>
            >> smtpd_recipient_restrictions = permit_mynetworks
            >> reject_unauth_destination reject_rbl_client example.com=[127;128].0.0.1
            >
            > Please demonstrate a dnsbl that responds with 128.x.x.x
            >
            > It's a trick question. You can't. 128.x.x.x is a valid IPv4 network
            > and cannot be used generically because it is not reserved. The first
            > "d" in "d.d.d.d" is always "127" per the dnsbl standard.
            >
            > Brush up on your dnsbl foo mate.

            Calm down :)

            It was just an experiment not using a real world RBL (using my own
            private DNS just for testing) when I noticed that if the first part of
            the rbl syntax was between square brackets, it would fail. So to please
            you, reject_rbl_client example.com=[10;127].0.0.1 would fail as well.

            I guess in practice hardly no one will use it in this form but since I'm
            working on a web gui on which users can enter some RBL syntax I had to
            check what formats are accepted or not.

            Kind regards,

            Martijn Brinkers


            --
            DJIGZO email encryption
          • Stan Hoeppner
            ... Then you need to read the RFC here: http://tools.ietf.org/html/rfc5782 For startes, only 127/8 is allowed in DNSxL replies. 127.0.0.1 is NOT allowed. You
            Message 5 of 6 , Dec 12, 2012
            • 0 Attachment
              On 12/11/2012 2:03 AM, martijn.list wrote:

              > I guess in practice hardly no one will use it in this form but since I'm
              > working on a web gui on which users can enter some RBL syntax I had to
              > check what formats are accepted or not.

              Then you need to read the RFC here:
              http://tools.ietf.org/html/rfc5782

              For startes, only 127/8 is allowed in DNSxL replies. 127.0.0.1 is NOT
              allowed. You may also want to put a help box on the screen with the
              Posttfix documentation for reject_rbl_client, or a more average person
              digestible version of it. I assume this is a control panel for paying
              customers, who are usually not the most technical types.

              --
              Stan
            • martijn.list
              ... rfc5782 says: There is no widely used convention for mapping sublist names to bits or values, beyond the convention that all A values SHOULD
              Message 6 of 6 , Dec 12, 2012
              • 0 Attachment
                On 12/12/2012 01:00 PM, Stan Hoeppner wrote:
                > On 12/11/2012 2:03 AM, martijn.list wrote:
                >
                >> I guess in practice hardly no one will use it in this form but since I'm
                >> working on a web gui on which users can enter some RBL syntax I had to
                >> check what formats are accepted or not.
                >
                > Then you need to read the RFC here:
                > http://tools.ietf.org/html/rfc5782
                >
                > For startes, only 127/8 is allowed in DNSxL replies. 127.0.0.1 is NOT
                > allowed. You may also want to put a help box on the screen with the
                > Posttfix documentation for reject_rbl_client, or a more average person
                > digestible version of it. I assume this is a control panel for paying
                > customers, who are usually not the most technical types.

                <nitpick mode>

                rfc5782 says:

                There is no widely used convention for mapping sublist names to bits
                or values, beyond the convention that all A values SHOULD be in the
                127.0.0.0/8 range to prevent unwanted network traffic if the value is
                erroneously used as an IP address.

                A should is not a must and a convention is a convention :)

                </nitpick mode>

                Anyway whether or not using anything other than 127/8 is beside the point.

                According to http://www.postfix.org/postconf.5.html#reject_rbl_client

                reject_rbl_client rbl_domain=d.d.d.d

                is a valid syntax. This was what I tested, nothing more nothing less.
                The Postfix main config parser didn't like the first "d" to be placed
                within square brackets even though the documentation says this should be
                possible, again whether or not you should do this is beside the (my)
                point. Wietse created a patch for this a few days back (12/10/2012).

                Using anything other than 127/8 is discouraged and probably never tested
                by anyone. However the implementation was not in line with the
                documentation or vice versa :)

                Kind regards,

                Martijn Brinkers

                --
                DJIGZO email encryption
              Your message has been successfully submitted and would be delivered to recipients shortly.