On 8/24/2010 1:36 PM, Stan Hoeppner wrote:
Wietse Venema put forth on 8/23/2010 10:11 AM:
Noel Jones:

(Might be time to revisit DNS whitelists in

Maybe someone can draft a strawman user interface:

- what is the configuration syntax

- what does that syntax mean

- how to make it safe ( we don't want "open relay" problems)

I'm currently doing this for postscreen, and won't have time for
other Postfix features.

accept_dnswl_client (default: 0)

0 - accept all messages
1 - accept messages with trust level 1-3
2 - accept messages with trust level 2-3
3 - accept messages with trust level 3

Trust level is a numerical 0-3 value returned as the last octet of the
127.0.x.x address, see below.  The third octet is more informational
than actionable, and IMO would simply add unnecessary complexity if used
to determine deliverability.  Decisions should be based solely on the
last octet data, the "trust" level.

I assume postscreen processes or passes this data to smtpd in a way that
smtpd will automatically bypass all checks normally performed during the
CONNECT phase.

Below is how dnswl.org does dns based whitelisting.  Other dns whitelist
operators may use a different standard, or no standard--I've not
investigated the few others at this point.  AFAIK dnswl.org is the most
popular, and was the original dns whitelist operator.

How to query DNSWL

The query must always go to the zone "list.dnswl.org" in standard DNSBL
format, ie with a reversed dotted quad IP address. To query whether the
IP address "" is listed, the query would thus be

The list contains the standard test entry of, which you can
also test manually

matthias:~>  host has address

Return codes

The return codes are structured as 127.0.x.y, with "x" indicating the
category of an entry and "y" indicating how trustworthy an entry has
been judged.

Categories (127.0.X.y):

     * 2 - Financial services
     * 3 - Email Service Providers
     * 4 - Organisations (both for-profit [ie companies] and non-profit)
     * 5 - Service/network providers
     * 6 - Personal/private servers
     * 7 - Travel/leisure industry
     * 8 - Public sector/governments
     * 9 - Media and Tech companies
     * 10 - some special cases
     * 11 - Education, academic
     * 12 - Healthcare
     * 13 - Manufacturing/Industrial
     * 14 - Retail/Wholesale/Services
     * 15 - Email Marketing Providers

Trustworthiness / Score (127.0.x.Y):

     * 0 = none - only avoid outright blocking (eg Hotmail, Yahoo
mailservers, -0.1)
     * 1 = low - reduce chance of false positives (-1.0)
     * 2 = medium - make sure to avoid false positives but allow override
for clear cases (-10.0)
     * 3 = high - avoid override (-100.0).

The scores in parantheses are typical SpamAssassin scores

- This is specific for dnswl.org. Postfix needs a general mechanism. Other whitelists are not required to follow dnswl.org's 127.0.x.y mechanism.

- what do you mean by "accept the message"; OK? suppress further rbl lookups?

- If "accept" means OK, how will you protect postfix from open relay if the dns whitelist accidentally or intentionally lists the whole internet?

- what would the user interface look like? Is it possible to document it clearly?

  -- Noel

Reply via email to