Problem with whitelisting CIDR blocks with greylisting and IPv6

Vernon Schryver vjs@calcite.rhyolite.com
Fri Jan 30 23:04:21 UTC 2009


> From: Irelann Anderson 

> We've been experimenting with IPv6 for years, but real deployment has been
> going on for only a few months.  I recently noticed we had internal mail
> clients and servers that were getting greylisted and I wanted to whitelist
> our entire IPv6 block for now.  My initial go at this was to add the
> following line to grey_whitelist:
>
> ok      IP      2610:48::/32
>
> However dbclean produced the message:
>
> CIDR block length in 2610:48::/32 too large in line 24 of
> /var/dcc/grey_whitelist
>
> On looking at the source code, it appears that I can't specify a prefix
> shorter than /112.  Since the smallest network you would normally use in
> IPv6 has a prefix of /64, that makes whitelisting by network block a bit
> difficult in IPv6.
>
> Am I reading this wrong  or is there a way to do this that I've missed.


The reason for that restriction is that the DCC or DCC greylist server
database does not really know the difference between the checksum of
an IP address and the checksum of a message body.  The server knows
only about checksums.  That is also why the greylist masking of IP
addresses is done by the DCC client with `dccm -G IPmask/xx` or
`dccifd -G IPmask/xx`

To whitelist a class-B or /32 block of IP addresses for the server,
dbclean adds 65,536 checksums to the database.  You can see this
by pointing dbclean at a test database with whitelist or grey_whitelist
containing "ok IP 2610:48::/112" and then using `dblist -vvv` to
look at the resulting file.  Allowing an /8 IPv4 CIDR block of server
whitelisting would be painful.  A /32 IPv6 block would simpy not work;
2^96 is a big number.

In other words, server whitelists are a generally bad idea that sounded
good at the time but in the name of compatibility can't be killed.

The solution is to add  "ok IP 2610:48::/32" to the client whitelists.
This may be more work than adding to the server whitelist, but it does
a more complete job of whitelisting.  Client-side whitelisted mail
is not reported to the DCC server.

It's hard to say which is more error prone.  If you forget to add to
/var/dcc/whiteclnt on one mail system, some mail won't get whitelisted
if it hits that mail system.  If you have more than one DCC server and
miss one whitelist file, about the same bad thing happens.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.