3 access questions

Hi,
I have an ever growing hand maintained access db and have the following
questions that hopefully some people here can help me with.

1. Access not catching all

Some of the entries in the db keep getting through. I have some REJECTS in
IP notation as well as:
Connect:arcor-ip.net REJECT
Connect:Mary@bellsouth.net REJECT
Connect:boomtown.net REJECT
Connect:bresnan.net REJECT
From:comcast.net REJECT
From:mickymouse@comcast.net OK
Connect:hinet.net REJECT
Connect:ms53.hinet.net REJECT

2. Is it possible to put comments in the access text file?

3. In the previous example, will mickey mouse get his mail or should the
order be reversed to block comcast.net but allow mickeymouse@comcast.net?

TIA
Paul

Re: 3 access questions

Paul Hickey schrieb:
> I have an ever growing hand maintained access db and have the following
> questions that hopefully some people here can help me with.
>
> 1. Access not catching all
>
> Some of the entries in the db keep getting through. I have some REJECTS in
> IP notation as well as:
> Connect:arcor-ip.net REJECT
> Connect:Mary@bellsouth.net REJECT
> Connect:boomtown.net REJECT
> Connect:bresnan.net REJECT
> From:comcast.net REJECT
> From:mickymouse@comcast.net OK
> Connect:hinet.net REJECT
> Connect:ms53.hinet.net REJECT

Hard to tell without an actual example, but I guess the mails that are
getting through are not really matching the entries, even though you
might think so. Post an example.

Btw, the entry
> Connect:Mary@bellsouth.net REJECT
doesn't really make sense.

> 2. Is it possible to put comments in the access text file?

Yes. Just start the line with "#".

> 3. In the previous example, will mickey mouse get his mail or should the
> order be reversed to block comcast.net but allow mickeymouse@comcast.net?

The order of entries in the access file is irrelevant, it will be
converted into a database anyway. But as the lines in your example
specify "From:" as the tag, mails *to* mickey won't be affected by
them, anyway.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Re: 3 access questions

In article ,
Paul Hickey wrote:

> Hi,
> I have an ever growing hand maintained access db and have the following
> questions that hopefully some people here can help me with.
>
> 1. Access not catching all
>
> Some of the entries in the db keep getting through. I have some REJECTS in
> IP notation as well as:
> Connect:arcor-ip.net REJECT
> Connect:Mary@bellsouth.net REJECT
> Connect:boomtown.net REJECT
> Connect:bresnan.net REJECT
> From:comcast.net REJECT
> From:mickymouse@comcast.net OK
> Connect:hinet.net REJECT
> Connect:ms53.hinet.net REJECT

A subset of your access file and no specifics about what mail is getting
through (i.e. real log lines!) makes it impossible for anyone without
paranormal powers to help with any specificity on this question.

In general, apparent access 'leakage' can be the result of:

1. Forgetting to actually make the map file from the text source.

2. Failing to build the sendmail.cf file from a sendmail.mc that
includes the accessdb feature.

3. Having multiple entries that match the same SMTP transaction with an
'OK' or 'RELAY' entry overriding a 'REJECT' entry.

4. A cracked account on a system that allows authenticated users to be
immune from the access map.

5. Access map rules based on message data (i.e. From and To headers or
distantly-composed Received headers) rather than on SMTP transaction
parameters, i.e. connecting client IP address and rDNS name and envelope
sender and recipient addresses. Access rules do not apply to message
data, even data from header fields that frequently matches some SMTP
transaction parameter.


> 2. Is it possible to put comments in the access text file?

Yes. As the makemap man page states, lines beginning with # are ignored.


> 3. In the previous example, will mickey mouse get his mail or should the
> order be reversed to block comcast.net but allow mickeymouse@comcast.net?

The vagueness and likely inaccuracy of that question makes me think that
it is pointless to answer it as stated. Please re-examine and re-state
what you actually mean to be asking and provide the access rules that
you think should be relevant.

Note that the documentation on the way exceptions work in the access map
is not completely clear, to the point where misconceptions about things
like ordering relevance are widespread. The general rule is that more
specific rules override less specific ones, and both the timing AND the
order of checking is sensitive to the 'delay_checks' feature. Order is
irrelevant, as the whole thing is converted to a hash table. Sendmail
looks up full addresses, hostnames, and IP's *AND* broader parts of them
(i.e. IP ranges on octet boundaries, domain parts of email addresses,
parent domains of hostnames and address domain parts) with the more
specific keys overriding the less specific ones. The best single chunk
of documentation of this is in the cf/README file, and it is not a
brilliantly clear description. It helps to also look at the code in a
working sendmail.cf, if you can read that. I don't recall ever getting
much enlightenment on the access map from the ops guide or the Bat book,
but it can't hurt to look in those places as well.

--
Now where did I hide that website...