diff options
author | Philip Hazel <ph10@hermes.cam.ac.uk> | 2007-01-17 11:17:58 +0000 |
---|---|---|
committer | Philip Hazel <ph10@hermes.cam.ac.uk> | 2007-01-17 11:17:58 +0000 |
commit | 431b736177e2cdfd0b4da4c8545d8b732286abe1 (patch) | |
tree | d7e40e4cdb12e9c0297384aaa05d03b8ad3230db /doc | |
parent | 22ad45c9e84aa0caab29371080c66e02f2b0aea2 (diff) |
Fix negated dnslists item bug; add == and =& features, courtesy Brad
Jorsch.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-txt/ChangeLog | 15 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 70 |
2 files changed, 83 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 83bba99ee..240c815eb 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.453 2007/01/16 21:00:29 magnus Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.454 2007/01/17 11:17:58 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -13,6 +13,19 @@ MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not issue a MAIL command. +PH/02 In an ACL statement such as + + deny dnslists = X!=127.0.0.2 : X=127.0.0.2 + + if a client was not listed at all, or was listed with a value other than + 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list, + the condition was not true (as it should be), so access was not denied. + The bug was that the ! inversion was incorrectly passed on to the second + item. This has been fixed. + +PH/03 Added additional dnslists conditions == and =& which are different from + = and & when the dns lookup returns more than one IP address. + Exim version 4.66 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index a24a21226..960f93ce8 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.126 2007/01/15 15:59:22 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.127 2007/01/17 11:17:58 ph10 Exp $ New Features in Exim -------------------- @@ -38,6 +38,74 @@ Version 4.67 setting of 10 for smtp_accep_max_nonmail, the connection will in any case be aborted before 20 non-mail commands are processed. + 2. When an item in a dnslists list is followed by = and & and a list of IP + addresses, in order to restrict the match to specific results from the DNS + lookup, the behaviour was not clear when the lookup returned more than one + IP address. For example, consider the condition + + dnslists = a.b.c=127.0.0.1 + + What happens if the DNS lookup for the incoming IP address yields both + 127.0.0.1 and 127.0.0.2 by means of two separate DNS records? Is the + condition true because at least one given value was found, or is it false + because at least one of the found values was not listed? And how does this + affect negated conditions? + + The behaviour of = and & has not been changed; however, the text below + documents it more clearly. In addition, two new additional conditions (== + and =&) have been added, to permit the "other" behaviour to be configured. + + A DNS lookup may yield more than one record. Thus, the result of the lookup + for a dnslists check may yield more than one IP address. The question then + arises as to whether all the looked up addresses must be listed, or whether + just one is good enough. Both possibilities are provided for: + + . If = or & is used, the condition is true if any one of the looked up + IP addresses matches one of the listed addresses. Consider: + + dnslists = a.b.c=127.0.0.1 + + If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is + true because 127.0.0.1 matches. + + . If == or =& is used, the condition is true only if every one of the + looked up IP addresses matches one of the listed addresses. Consider: + + dnslists = a.b.c==127.0.0.1 + + If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is + false because 127.0.0.2 is not listed. You would need to have + + dnslists = a.b.c==127.0.0.1,127.0.0.2 + + for the condition to be true. + + When ! is used to negate IP address matching, it inverts the result, giving + the precise opposite of the behaviour above. Thus: + + . If != or !& is used, the condition is true if none of the looked up IP + addresses matches one of the listed addresses. Consider: + + dnslists = a.b.c!&0.0.0.1 + + If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is + false because 127.0.0.1 matches. + + . If !== or !=& is used, the condition is true there is at least one looked + up IP address that does not match. Consider: + + dnslists = a.b.c!=&0.0.0.1 + + If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is + true, because 127.0.0.2 does not match. You would need to have + + dnslists = a.b.c!=&0.0.0.1,0.0.0.2 + + for the condition to be false. + + When the DNS lookup yields only a single IP address, there is no difference + between = and == and between & and =&. + Version 4.66 ------------ |