Wietse Venema put forth on 8/23/2010 10:11 AM: > Noel Jones: > (Might be time to revisit DNS whitelists in >> postfix.) > > Maybe someone can draft a strawman user interface: > > - what is the configuration syntax > > - what does that syntax mean > > - how to make it safe ( we don't want "open relay" problems) > > I'm currently doing this for postscreen, and won't have time for > other Postfix features.
accept_dnswl_client (default: 0) 0 - accept all messages 1 - accept messages with trust level 1-3 2 - accept messages with trust level 2-3 3 - accept messages with trust level 3 Trust level is a numerical 0-3 value returned as the last octet of the 127.0.x.x address, see below. The third octet is more informational than actionable, and IMO would simply add unnecessary complexity if used to determine deliverability. Decisions should be based solely on the last octet data, the "trust" level. I assume postscreen processes or passes this data to smtpd in a way that smtpd will automatically bypass all checks normally performed during the CONNECT phase. Below is how dnswl.org does dns based whitelisting. Other dns whitelist operators may use a different standard, or no standard--I've not investigated the few others at this point. AFAIK dnswl.org is the most popular, and was the original dns whitelist operator. ======================================================================= How to query DNSWL The query must always go to the zone "list.dnswl.org" in standard DNSBL format, ie with a reversed dotted quad IP address. To query whether the IP address "184.108.40.206" is listed, the query would thus be 220.127.116.11.list.dnswl.org The list contains the standard test entry of 127.0.0.2, which you can also test manually matthias:~ > host 18.104.22.168.list.dnswl.org 22.214.171.124.list.dnswl.org has address 127.0.10.0 Return codes The return codes are structured as 127.0.x.y, with "x" indicating the category of an entry and "y" indicating how trustworthy an entry has been judged. Categories (127.0.X.y): * 2 - Financial services * 3 - Email Service Providers * 4 - Organisations (both for-profit [ie companies] and non-profit) * 5 - Service/network providers * 6 - Personal/private servers * 7 - Travel/leisure industry * 8 - Public sector/governments * 9 - Media and Tech companies * 10 - some special cases * 11 - Education, academic * 12 - Healthcare * 13 - Manufacturing/Industrial * 14 - Retail/Wholesale/Services * 15 - Email Marketing Providers Trustworthiness / Score (127.0.x.Y): * 0 = none - only avoid outright blocking (eg Hotmail, Yahoo mailservers, -0.1) * 1 = low - reduce chance of false positives (-1.0) * 2 = medium - make sure to avoid false positives but allow override for clear cases (-10.0) * 3 = high - avoid override (-100.0). The scores in parantheses are typical SpamAssassin scores -- Stan