RBL whitelist?
in [Postfix]
|
From: Wietse Venema on 15 Mar 2010 19:31 Wietse Venema: > Erik Logtenberg: > > > > >> However in the case where the whitelist is (completely) unavailable for > > >> some period of time, I still think that my suggestion applies, don't you > > >> agree? > > > > > > No. It is assumed that you use a sufficiently reliable DNSWL. Ideally > > > a local mirror, and if it becomes unavailable you use appropriate > > > administrative intervention. > > > > Lol... > > > > My statement is: > > "A implies B" > > > > and you respond with: No, because: > > "not A" > > > > Logically, even if "not A" is the case, then still you haven't denied > > the given implication. In fact in the strictest sense you even affirmed > > it, because "not A" implies "A implies B", since false implies everything. > > It is a mistake to REJECT mail because a DNS whitelist server is down. > Instead, the safe action is DEFER_IF_PERMIT. Argh. DEFER_IF_REJECT (we must not reject this mail because we don't know if it should have been whitelisted). Wietse
From: Noel Jones on 15 Mar 2010 21:47 On 3/15/2010 6:26 PM, Erik Logtenberg wrote: > This whitelist is 1409 records long, so indeed as you say very small. I > suppose I could download it and host it locally. Apparently AXFR is not > allowed, but plain text HTTP download is, so that's good enough. > Then I would only need an efficient and robust way for postfix to use it. If they let you download a list of IPs, just use your favorite sed/awk/perl to change it into an access table. -- Noel Jones
From: Stefan Foerster on 17 Mar 2010 13:54 * Wietse Venema <wietse(a)porcupine.org>: > Erik Logtenberg: > > Wietse, is there a reason why you would not want a permit_rbl_client > > feature in postfix? If not, then I would like to hereby suggest this > > feature request. > > If you would approve the feature request but don't have the time and/or > > other incentive to implement it, I'd gladly try to submit a patch. > > I understand what needs to happen when the DNS server replies that > the client is or is not listed, though I don't know if there is > any convention for positive whitelist replies. > > What is supposed to happen in the absence of a valid DNS reply? > Is there a difference between SERVAIL, timeout, and so on? > I don't want to be swamped with bug reports that "postfix > has buggy access control". Unfortunately, RFC 5782 isn't helpful for answering those questions. Stefan
From: "Jan P. Kessler" on 18 Mar 2010 18:28 >> This whitelist is 1409 records long, so indeed as you say very small. I >> suppose I could download it and host it locally. Apparently AXFR is not >> allowed, but plain text HTTP download is, so that's good enough. >> Then I would only need an efficient and robust way for postfix to use >> it. > > If they let you download a list of IPs, just use your favorite > sed/awk/perl to change it into an access table. The question is: Will this be really more reliable than using a policy service that simply queries dns for this task?
From: Erik Logtenberg on 18 Mar 2010 19:09
>>> This whitelist is 1409 records long, so indeed as you say very small. I >>> suppose I could download it and host it locally. Apparently AXFR is not >>> allowed, but plain text HTTP download is, so that's good enough. >>> Then I would only need an efficient and robust way for postfix to use >>> it. >> >> If they let you download a list of IPs, just use your favorite >> sed/awk/perl to change it into an access table. > > The question is: Will this be really more reliable than using a policy > service that simply queries dns for this task? By the way, in the mean time I followed the advice given by Stan Hoeppner and Noel Jones and made a daily cronjob which wget's the blacklist, puts some OK's in there and then postmaps the list to a hash map, which is then used with a check_client_access rule in smtpd_recipient_restrictions. This works okay, and fairly reliable, because I added a couple of sanity checks before actually switching over to the new whitelist. If some sanity check fails (for instance the number of IP's is outside a sane range or if postmap chockes on it), then the cronjob will just keep the current whitelist in place. |