On 28/Sep/10 00:00, Sam Varshavchik wrote:
> Alessandro Vesely writes:
>> I think we may additionally need two things:
>>
>> 1. A mechanism to skip performing some lookups in case some other
>> ones already succeeded. Currently, only if a given variable is
>> already set, the corresponding lookup is skipped.
>
> This seems trivial. The lookup can also be skipped if some other
> variable is also already set. The whitelists can be arranged to be
> looked up first, followed by blacklists.

You mean "can be arranged" by properly setting the configuration file? 
  Blocklists are currently checked respecting the order they have been 
defined.

> The real challenge here is to come up with a sane syntax to specify
> all of this.

Hm... one possibility is to modify the "-block" syntax by appending a 
list of environment variables that prevent the lookup.  E.g.

   -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@",ALLOW,ALLOW2 \
   -allow=swl.spamhaus.org,ALLOW

where "-allow" has the same syntax of "-block", but new entries are 
pushed onto the head of the list rather than appended to its tail.

An alternative is to define skiplists explicitly, e.g.

   -allow=swl.spamhaus.org,ALLOW \
   -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@" \
   -block=some.other.example,BLOCK2 \
   -skipif=ALLOW,BLOCK,BLOCK2

In this case "-allow" is exactly a synonym of "-block", because it 
feels ugly to say "block" for a whitelist.

In the future, the SWL may have IPv6 capabilities --according to their 
techfaq, "IPv6 handling is not yet active.  Spamhaus estimates IPv6 
service starting in 2011".  Do we need an additional comma to specify 
whether the list is (supposed to be) IPv6 capable?

>> 2. A mechanism to pass (some of) these variables to global filters.
>> (Values /from/ global filters can be set via header fields, but
>> variable-passing can also be devised to work both ways.)
>
> I think that the best way is to record this metadata into an
> additional header, than the filter can check. Thinking it over in my
> ahead, I think this would be the easiest approach, and all the change
> can be bundled in courieresmtpd, so that the command line sendmail
> injection point, or the shared codepath between the two, does not need
> to be overengineered for that.

At first glance courieresmtpd doesn't seem to delve into 
distinguishing header from body.  At any rate, yes, adding to the 
header may work for this specific case.  The additional field, say

   X-Whitelisted-By: swl.spamhaus.org

will remain attached to the message, and thus might also be used by 
client software to avoid discarding important messages.  However, this 
header field has to be guarded against cheats already present in the 
original message.  If the field name is specified on the command line, 
e.g. as

   -allow=swl.spamhaus.org,ALLOW,"X-Whitelisted-By: swl.spamhaus.org"

checking for cheats may become quite cumbersome.

A more generic approach could be to dump the whole environment to the 
ctlfile, in submit, just before closing it and only if filters are 
enabled, prepending, say, COMCTLFILE_ENVVAR before each line.  This 
would also work for a bunch of corner cases, e.g. a filter wondering 
whether an authsmtp message came in via the MSA port.  This may result 
in a size increase of around 1300 bytes, at mines; some known 
variables (PATH, SHELL, SHLVL, PWD, _) may be omitted.


> I do not understand what the problem is. Wildcard DNS entries will
> work fine. You just put a wildcard record for the /64. End of story.

IMHO, even assuming that such granularity is not too coarse, the 
remaining 64 bits still provide for a too huge address space for the 
whack-a-mole game.  But then you're right that someone may still run 
an IPv6 DNSBL, and it seems wise to plan a syntax that would allow to 
use it.

> *.00.00.27.0c.03.05.01.20.blacklist.example.com TXT "Whatever"
>
> This presumes that, for consistency, hex is used at the octet-level
> granularity for IPv6. Decimal can be used equally well.

Probably that's the kind of decisions Spamhaus still has to make, 
since they have not given an IPv6 query example yet.


-- 



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to