Address pattern errors

[steveluscher]

Thanks for this script. It's awesome!

I'm using this with postscreen; letting it create a static domain whitelist. Postscreen reported the following errors with two Amazon ranges, and one GitHub IP range:

# Amazon
Aug  9 15:57:18 localhost postfix/postscreen[7533]: warning: cidr map /etc/postfix/postscreen_access.cidr, line 8: non-null host address bits in "194.7.41.152/28", perhaps you should use "194.7.41.144/28" instead: skipping this rule
Aug  9 15:57:18 localhost postfix/postscreen[7533]: warning: cidr map /etc/postfix/postscreen_access.cidr, line 40: bad address pattern: "Mails-1951040932.us-west-2.elb.amazonaws.com.": skipping this rule
# GitHub
Aug  9 15:57:18 localhost postfix/postscreen[7533]: warning: cidr map /etc/postfix/postscreen_access.cidr, line 278: non-null host address bits in "50.22.251.8/27", perhaps you should use "50.22.251.0/27" instead: skipping this rule

[nullstream]

Thanks.

I did some checking and the values postscreen is warning about are from the original SPF record for those two domains. Very annoying and basic mistake to make. If either company had a responsive support I'd mention the mistake to them directly.

The first is in the first line of responses for spf1.amazon.com (included recursively from amazon.com). The second appears to be included from a company called mailgun.org (which is included in the github records).

The only solution other than calling the vendors and noting the odd subnet in their SPF records would be to pre-test all the subnets returned... though they may have a specific reason for including those specific masks... I'll think on it more.

If you have any ideas, or any ideas on how to add more to this script feel free to let me know.

[steveluscher]

I'm pumped that you took this seriously and got to the bottom of it, Sean! I don't have any ideas, because I never learned how IP ranges work. Would something like this help to validate the ranges before we use them? http://python-iptools.readthedocs.org/en/latest/