Re: [Sqlgrey-users] Enhancements planned

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Klaus Alexander Seistrup wrote the following on 10/21/04 08:02 :

>Lionel Bouton wrote:
>
>  
>
>>If you have enhancements in mind, feel free to discuss them on the
>>mailing-list and put a RFE on sourceforge.
>>    
>>
>
>I find postgrey's postfix_whitelist_clients.local feature highly
>useful, especially that I can use regexps to specify allowed clients. 
>Should be very easy to implement, I think.
>
>Cheers,
>  
>

Ok. Here's what I have in mind for SQLgrey 1.3 to allow something like 
this :

1/ Group conf in a new /etc/sqlgrey directory

move current /etc/sqlgrey.conf into it.

Add a /etc/sqlgrey/clients_whitelist file that will be distributed with 
future sqlgrey release (not meant to be modified by users but 
submissions of known weird clients wil be encouraged).
Add an empty /etc/sqlgrey/clients_whitelist.local file meant to be set 
up by the local admin.

2/ Format of client_whitelist*

classic '#' comments, spaces ignored, empty lines ignored.

Line format :
# 1 regexp on fqdn
/regexp/ : match the fqdn if Postfix could look it up, the regexp will 
be a case insensitive perl regexp (see man perlre).
/domain.tld$/ : any client with a A record in domain.tld will be 
whitelisted.
/^a.fqdn.tld$/ : a.fqdn.tld will be whitelisted

# 2 IP/net match
aaa.bbb.ccc.ddd
aaa.bbb.ccc        : match the first bytes of the sender's IP address.
I don't think it's a good idea to match against whole class B networks...

3/ Runtime configuration

SQLgrey will monitor the sqlgrey_whitelist_clients.local file by 
stat'ing the file on each request and reloading if the mtime has 
changed. sqlgrey_whitelist_clients won't be checked (don't touch that).

4/ Integration into current SQLgrey

This whitelist will be top priority : the AWL checks will be done 
*after* the whitelist check.
The net_whitelist supported only with PostgreSQL will be deprecated, 
SQLgrey won't create the table anymore, if the table is empty it will 
drop it, if not it will print a big scarry warning advising to move to 
the new whitelist (but will still use it).

Note : regexp matching will be slow because I will need to match against 
each entry, this is an o(n) algorithm -> don't put too much regexps in 
whitelists.
           ip/net whitelist will be quick because it will be based on 2 
hashes (one for the IPs, one for the class C nets) : expect o(log(n)) perfs.

Suggestions welcomed,

Regards,

Lionel.