On 8/24/2010 1:36 PM, Stan Hoeppner wrote:
Wietse Venema put forth on 8/23/2010 10:11 AM:
(Might be time to revisit DNS whitelists in
Maybe someone can draft a strawman user interface:
- what is the configuration syntax
- what does that syntax mean
- how to make it safe ( we don't want "open relay" problems)
I'm currently doing this for postscreen, and won't have time for
other Postfix features.
accept_dnswl_client (default: 0)
0 - accept all messages
1 - accept messages with trust level 1-3
2 - accept messages with trust level 2-3
3 - accept messages with trust level 3
Trust level is a numerical 0-3 value returned as the last octet of the
127.0.x.x address, see below. The third octet is more informational
than actionable, and IMO would simply add unnecessary complexity if used
to determine deliverability. Decisions should be based solely on the
last octet data, the "trust" level.
I assume postscreen processes or passes this data to smtpd in a way that
smtpd will automatically bypass all checks normally performed during the
Below is how dnswl.org does dns based whitelisting. Other dns whitelist
operators may use a different standard, or no standard--I've not
investigated the few others at this point. AFAIK dnswl.org is the most
popular, and was the original dns whitelist operator.
How to query DNSWL
The query must always go to the zone "list.dnswl.org" in standard DNSBL
format, ie with a reversed dotted quad IP address. To query whether the
IP address "126.96.36.199" is listed, the query would thus be
The list contains the standard test entry of 127.0.0.2, which you can
also test manually
matthias:~> host 188.8.131.52.list.dnswl.org
184.108.40.206.list.dnswl.org has address 127.0.10.0
The return codes are structured as 127.0.x.y, with "x" indicating the
category of an entry and "y" indicating how trustworthy an entry has
* 2 - Financial services
* 3 - Email Service Providers
* 4 - Organisations (both for-profit [ie companies] and non-profit)
* 5 - Service/network providers
* 6 - Personal/private servers
* 7 - Travel/leisure industry
* 8 - Public sector/governments
* 9 - Media and Tech companies
* 10 - some special cases
* 11 - Education, academic
* 12 - Healthcare
* 13 - Manufacturing/Industrial
* 14 - Retail/Wholesale/Services
* 15 - Email Marketing Providers
Trustworthiness / Score (127.0.x.Y):
* 0 = none - only avoid outright blocking (eg Hotmail, Yahoo
* 1 = low - reduce chance of false positives (-1.0)
* 2 = medium - make sure to avoid false positives but allow override
for clear cases (-10.0)
* 3 = high - avoid override (-100.0).
The scores in parantheses are typical SpamAssassin scores
- This is specific for dnswl.org. Postfix needs a general
mechanism. Other whitelists are not required to follow
dnswl.org's 127.0.x.y mechanism.
- what do you mean by "accept the message"; OK? suppress
further rbl lookups?
- If "accept" means OK, how will you protect postfix from open
relay if the dns whitelist accidentally or intentionally lists
the whole internet?
- what would the user interface look like? Is it possible to
document it clearly?