I need to use dns blacklisting on incoming email. Spamd caused a user revolt because of its unpredictable delay.
smtpd maintainers have more urgent projects than working on filter-dnsbl. What I'd like to do is: in pf.conf pass in on ingress from <whitelist> to any port smtp pass in on ingress from <blacklist> to any port smtp \ divert-to [spamd-port] pass in on ingress from <retrylist> to any port smtp \ #insert proper action here = pass on or send to spamd pass in from any to any port smtp divert-packet 9999 \ no-state in dnsbld: bind to divert socket 9999 parallel loop: receive syn packet for smtp connection initiate dnsbl lookup good reply: insert address into <whitelist> bad reply: insert address into <blacklist> timeout: insert address into <retrylist> reinject syn packet in dnsbld-cleaner: maintain lists of expiry times and remove entries from the pf tables appropriately What I'd like to happen is that the first syn packet will go to dnsbld. By inserting entries into pf tables, when the syn is finally reinjected or retry syn packets arrive, they will match a table thus creating a state . Subsequent packets of that connection wouldn't go to the divert socket. dnsbld should only see syn packets, usually only one if the dns lookup is quick. What I don't want to do is interpose dnsbld for the entire smtp connection. Is this likely to work? My reading of the code suggests it should but pf is pretty intricate. I don't know if the pf rule optimizer would rearrange things detrimentally. thanks Geoff Steckel