On 03/15/2010 10:37 PM, Victor Duchovni wrote: > On Mon, Mar 15, 2010 at 05:15:59PM -0400, Wietse Venema wrote: > >> Victor Duchovni: >>> With explicit DNSWL lookups, indeed "defer_if_reject" is acceptable, since >>> the DWL is operated locally or by a competent provider and persistent temp >>> failure of lookups is less likely. So it seems to me that this has cleaner >>> semantics than "check_client_access" with name-based "OK" results, provided >>> the DWL lookup-key is an address, not a domain name! >> >> A client hostname is bad because it may not be available, but what >> is the problem with helo/sender/recipient domains? > > Yes, only the client name is a problem in the original sense of this > thread. Of course one would be rather foolish to white-list by helo-name > and sender domain, these are too easy to spoof. It is not clear that > a recipient domain DNSWL is semantically useful, so I think that only > client names make sense in this context.
Indeed. By the way, the orignial sense of this thread is inspired by this specific whitelist: http://noc.bit.nl/dnsbl/nlwhitelist/ As you can see (http://noc.bit.nl/dnsbl/nlwhitelist/txt.php) it just contains IP addresses. Those IP addresses belong to companies whom we trust to send valid mail, _and_ have a decent abusedesk -- this is in fact a prerequisite to be included in that list to begin with. We wouldn't be using it to check HELO name and/or sender domain, but just for the initial state of initiating an smtp session from a specific IP, exactly the point where the reject_rbl_client is currently active. If the IP is on the whitelist, then we don't even want to check the blacklists anymore, but permit the connection right away. It may still fail other checks that could lead to reject or defer of course.
