Wietse Venema put forth on 8/24/2010 2:37 PM:

> With reject_rbl_client etc. Postfix can use different DNSXLs names
> in different access lists, and filter the result. For example, to
> select responses from some.example.com with value
> smtpd_mumble_restrictions =
>       ...
>     reject_rbl_client some.example.com=
>       ...
> I suppose that similar selection would be help with whitelists.

Yes, I believe the dnswl.org implementation is based on RFC5782.
Regarding "safety" against the "list world" and other scenarios, see
section 5, and paragraph 2 of section 7.  The tests are the same for
dnsbls and dnswls.  You simply check for responses to make sure a dnsXl
is running on the host you're querying before sending real queries.  I'm
guessing you already have code for this in the reject_rbl_client code.

>> I assume postscreen processes or passes this data to smtpd in a way that
>> smtpd will automatically bypass all checks normally performed during the
>> CONNECT phase.
> Postscreen passes no session information to the SMTP server. The
> file handle is all the SMTP server gets. We're talking about a
> really tight development budget here.

Darn.  With all candor and humility Wietse, I don't think postscreen is
the right place to implement dnswl whitelisting.  Or, I should say, it's
not a complete dns whitelisting solution, but only a small first step.
If I understand correctly, all this will do is shoot such a whitelisted
client past all the postscreen checks.  Virtually all MTAs at IPs listed
by dnswl servers are going to pass the postscreen checks anyway since
postscreen is looking for bots and other ill behaved SMTP clients.  Thus
there is little gain in dns whitelisting here here but maybe some extra
performance on loaded MX'en.

IMHO, for dnswl whitelisting to be implemented "properly", or "the way
most people will expect it to behave", it should be implemented almost
exactly like

        reject_rbl_client abc.dnsbl.tld n.n.n.n

but with the opposite action--immediately queuing the message for
mailbox delivery--but still executing recipient address verification,
virus checks, and possibly content filter checks etc.

For a full up dnswl implementation, if we can assume some but not all
dnswl servers have multiple responses, then I'm thinking we should do
something just like your reject_rbl_client example, so an OP can
configure the level of "trust/accept" behavior based on his/her
knowledge of a particular configured dnswl server's responses:

        accept_dnswl_client     abc.dnsbl.tld [n.n.n.n]

As with reject_rbl_client the n.n.n.n would be optional and the default
behavior would be to accept or "OK" a message with any positive response
code from the dnswl server, in the same manner as we would process a
local access table whitelist OK action.  We obviously still want
recipient verification, virus scanning, maybe content filtering.  So if
I understand Postfix design correctly, we'd implement this in smtpd and
skip all smtpd checks on a positive dnswl hit, assuming the OP inserts
this parameter appropriately close to the top of the restrictions list.
 As with reject_rbl_client an OP would be free to insert this dnswl
check in the most appropriate place in the OP's processing order.


Reply via email to