From: Gary Smith on
I have a need to migrate some IP's from a static file to a hash file. These are singleton IP's (hash CIDR's). My understanding is this is just a verification table, so a long as it exists (i.e. returns any value) it's considered allows if there is a match. Is this correct?

i.e. would this be acceptable for this type of map?
10.20.0.2 ok
10.20.1.91 ok
....

We've found that some of the farm servers aren't updated with the proper client IP's and reloading the service each time seems a little overkill, and since we already have a process in place for dumping the other maps to the servers every 5 minutes, I might as well just add it there.

Gary-

From: /dev/rob0 on
On Mon, May 03, 2010 at 07:51:30AM -0700, Gary Smith wrote:
> I have a need to migrate some IP's from a static file to a hash
> file. These are singleton IP's (hash CIDR's). My understanding is
> this is just a verification table, so a long as it exists (i.e.
> returns any value) it's considered allows if there is a match. Is
> this correct?

For a lookup of mynetworks, yes, the result is ignored.
http://www.postfix.org/postconf.5.html#mynetworks

> i.e. would this be acceptable for this type of map?
> 10.20.0.2 ok
> 10.20.1.91 ok
> ...
>
> We've found that some of the farm servers aren't updated with the
> proper client IP's and reloading the service each time seems a
> little overkill, and since we already have a process in place for
> dumping the other maps to the servers every 5 minutes, I might as
> well just add it there.

Sure, this is an improvement over what you had, but it seems strange
to me that mynetworks would be changing frequently. Perhaps SASL AUTH
is a better solution overall?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

From: Gary Smith on
> Sure, this is an improvement over what you had, but it seems strange
> to me that mynetworks would be changing frequently. Perhaps SASL AUTH
> is a better solution overall?

They don't change very often. Most of the time the problem is when adding new servers to the mix and old config files are copied over. This is part of the process we are improving upon. Until now we used mysql for several configuration settings and have migrated them to hash from our database. These values are updated on a web server ever 5 minutes (if there is a change) and the postfix servers pull these values ever 5 minutes (again, only if there is a change). The IP addresses also happen to exist in the same database so adding one line to the script allows us to make sure they stay in sync.

As for SASL AUTH, we do that in most cases but some of the end point admin don't seem to grasp the concept. If they provide us access to their server, we will even configure it for them, but they seem to want to run it their way.

Answer to the next question... because it pays the bills.

From: mouss on
Gary Smith a �crit :
> I have a need to migrate some IP's from a static file to a hash file. These are singleton IP's (hash CIDR's).

hash != cidr

> My understanding is this is just a verification table, so a long as it exists (i.e. returns any value) it's considered allows if there is a match. Is this correct?
>
> i.e. would this be acceptable for this type of map?
> 10.20.0.2 ok
> 10.20.1.91 ok
> ...
>

yes. but in this case, prefer cidr over hash.

> We've found that some of the farm servers aren't updated with the proper client IP's and reloading the service each time seems a little overkill, and since we already have a process in place for dumping the other maps to the servers every 5 minutes, I might as well just add it there.
>
> Gary-

From: Gary Smith on
> > I have a need to migrate some IP's from a static file to a hash file. These
> are singleton IP's (hash CIDR's).
>
> hash != cidr

It was meant to read "singleton IP's (not CIDR's)". I need to do a little more proof reading before sending out these things.

> > i.e. would this be acceptable for this type of map?
> > 10.20.0.2 ok
> > 10.20.1.91 ok
> > ...
> yes. but in this case, prefer cidr over hash.

I think we are dealing with 50 or so IP's on a bunch of different blocks. The 10.20.x.x above was an example. Almost everything in the mydestination file is currently /32, with the exception of our internal ranges. It's these /32 that would be migrated to a hash.