 CIDR Notation is Confusing
I think I just got this right for our set up. We have a set of networks that start at 10.0.1.0 and go up to 10.254.1.0. Initially our Zimbra server just had the default 127.0.0.1 address for trusted networks and as soon as some of our users started pointing their Outlook and Thunderbird clients at it, it failed. So a few weeks back I opened a case with Zimbra support after having added 10.0.0.0/24 and still having trouble. The Zimbra support person after seeing the denial in our log recommended that I change it to 10.0.0.0/16. This seemed to fix things. Until recently.
As I've been migrating our domains to Zimbra, some of them started having trouble this week as they've started to try using Outlook. It turns out that I had a fundamental misunderstanding of the CIDR notation used by postfix (and therefore Zimbra). My assumption was that 10.0.0.0/24 equated to: "any network that starts with 10." I suspect a lot of you aren't networking experts either... My second call into support yielded a look at the RFC 1918 for private address space. This made me wonder whether I'd gotten it wrong.
The /24 is the same as saying 255.255.255.0 in subnet mask talk. The first 255 octet matched with the first octet of the 10.0.0.0 network yeilds: "10 and ONLY 10". The second 255 octet in the mask with the second octet in 10.0.0.0 yields: "0 and ONLY 0". The third 255 octet in the mask with the third octet in 10.0.0.0 yields: "0 and ONLY 0". And the last octet from the mask and the network yield: "Anything from 1-254". So, this CIDR notation was limiting me only to hosts starting at 10.0.0.1 through 10.0.0.254. Completely wrong for my network.
The change to /16 made some things work because that mask plus the 10.0.0.0 equates to 10.0.1.1 through 10.0.254.254. Since my network is 10.0.3.x, my Thunderbird client could now send mail. As could many of the initial domains I was migrating because they fell within that range. However, recent migrations have moved me into territory where the second octet would be something other than 0 and would henceforth result in denial.
So after some thought, I tried 10.0.0.0/8. This appears to have worked. That CIDR notation translates to: "Any viable network that starts with a 10." This appears to have fixed the problem. While it might appear elementary to those with experience with either Postfix or networking, it's not entirely clear to the uninitiated (which is why I'm posting this hoping to help someone else). My original concept of CIDR was the exact opposite of how it really works which is why I started out with the 10.0.0.0/24 notation.
Hope this helps someone else.
Last edited by deckard; 12-07-2007 at 01:30 PM..
| 
Bugzilla
Wiki
Source
Linear Mode
