Stan Hoeppner: > Noel Jones put forth on 8/24/2010 2:18 PM: > > > - This is specific for dnswl.org. Postfix needs a general mechanism. > > Other whitelists are not required to follow dnswl.org's 127.0.x.y > > mechanism. > > Yeah, I used this example as dnswl is, afaik, the most "established" of > the dns whitelists. I haven't yet looked at the return codes the others > use. > > > - what do you mean by "accept the message"; OK? suppress further rbl > > lookups?
Postfix has smtpd_mumble_restrictions with a large number of reject-like features and a smaller number of permit-like features. A reject terminates evaluation for all smtpd_mumble_restrictions; a permit terminates evaluation only within one smtpd_mumble_restriction. If whitelisting were to be used as a permit-like feature (which has dangerous failure modes as discussed next) then it will have to behave like all other permit-like features without exception. DNSWL as a permit-like feature increases the risk of becoming an open relay. I don't think we want Postfix to massively fail wide open and become an open relay just because some DNSWL operator made a bad decision. Besides, I am not convinced that DNSWL is best used as an unconditional "permit" operation. Alternatively, DNSWLs would be safe to use when scores from different lists are added up, and mail is rejected when the total score exceeds some threshold. With DNSXL lookup implemented as a reject-like feature, there is no danger of Postfix massively failing wide open when the DNSWQL operator screws up. Currently the smtpd configuration language does not yet have weighted DNSXL lookups. It would be easy enough to configure a global fixed list with domains and weights. Just copy the code for the deprecated maps_rbl_domains configuration parameter and the no longer documented reject_maps_rbl restriction, and add some syntax to the maps_rbl_domains parser. Wietse