Whitelist filtering may require a review of filters settings. For one
thing, there is a chance to save some DNS lookups and SA filtering.
In addition, global filters may need to take whiteliting info into
account.
IME, rejections after spamhaus.org are permanently on top of my _SMTP
errors by type_ report, overreaching SPF by one order of magnitude.
Now, they suggest that
If a sender is on the Spamhaus Whitelist it is pointless and a
waste of resources to then check to see if the IP is on any
Spamhaus blacklist such as Zen, because it can not be. If the IP is
on a third party blacklist you would need to decide whether the
third party blacklist is right or to give Spamhaus the benefit of
the doubt. That decision comes down to you alone.
http://www.spamhauswhitelist.com/en/techfaq.php
("They" is not the same as spamhaus.org; however, the DNS zones to
look up are subdomains of spamhaus.org.)
Courier tcpd already has a complicated syntax for this. DNS lookups
are defined by "-block" and set an environment variable. The
variable's name can be the predefined "BLOCK", any name known by an
rcptfilter, or it can be mentioned in a "-drop" switch. See DNS
ACCESS LISTS http://www.courier-mta.org/couriertcpd.html#id539502
I think we may additionally need two things:
1. A mechanism to skip performing some lookups in case some other ones
already succeeded. Currently, only if a given variable is already
set, the corresponding lookup is skipped.
2. A mechanism to pass (some of) these variables to global filters.
(Values /from/ global filters can be set via header fields, but
variable-passing can also be devised to work both ways.)
- . -
Spamhaus have announced their whitelist as the dawn of a new era. In
facts, the IPv4 is on the ropes and DNSBL technology cannot go to IPv6
as-is. (Let me quote just one phrase from John Levine, 26 Aug 2009:
At one address per millisecond, it would take 500 million years to
run through a /64.
http://www.ietf.org/mail-archive/web/asrg/current/msg15743.html)
Domain names are not more manageable in size than that. Thus, IPv6
implies the end of blacklisting as we know it. Spamhaus has announced
both an IPv4 whitelist and a domain name one, the SWL and DWL
respectively. As the latter implies DKIM, I'll try and fit the
relevant lookup within zdkimfilter.
--
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
