Updated Proposal for weighted dnsXl support in postscreen.
(Change parameter names to all start with postscreen_dns* for
easy reading in postconf. Get rid of negative site weight
values [the client dnsxl score total may still be negative].
Add filter octet range docs.)
(The weight ranges documented are arbitrary.)
- postscreen_dnsbl_sites (default empty); A comma separated
list of dnsbl IP blacklist sites with optional result filter
and optional weight. When the reversed client network address
is listed with an A record matching the result filter, add
{weight} points (default 1) to the client dnsxl score. If no
result filter is specified, add {weight} points (default 1) to
the client dnsxl score if any A record is found. If multiple
A records are found, {weight} will only be added once.
Specify one or more dnsbl sites as:
dnsbl_site[=d.d.d.d][*N]
where dnsbl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. A range in
the result filter may be specified within brackets in place of
an octet. Multiple ranges or single values may be separated
by commas within the brackets. The weight may be specified as
the character "*" followed by a value in the range [0~99]
inclusive.
Examples:
postscreen_dnsbl_sites =
dnsbl_site1,
dnsbl_site2=127.0.[0-5,22,128-255].2*5,
dnsbl_site3=*6
- postscreen_dnswl_sites (default empty); A comma separated
list of dnswl IP whitelist sites with optional result filter
and optional weight. When the reversed client network address
is listed with an A record matching the result filter,
subtract {weight} points (default 1) from the client dnsxl
score. If no result filter is specified, subtract {weight}
points (default 1) from the client dnsxl score if any A record
is listed. If multiple A records are found, {weight} will
only be subtracted once.
Specify one or more dnswl sites as:
dnswl_site[=d.d.d.d][*N]
where dnswl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. A range in
the result filter may be specified within brackets in place of
an octet. Multiple ranges or single values may be separated
by commas within the brackets. The weight may be specified as
the character "*" followed by a value in the range [0~99]
inclusive.
Examples:
postscreen_dnswl_sites =
dnswl_site1,
dnswl_site2=127.0.[0-5,22,128-255].2*5,
dnswl_site3=*6
(these next parameters behavior is unchanged, but the docs
have been updated)
(Require a "+" or "-" sign for the score thresholds to prevent
ambiguity. The alternatives are to assume "-" for the
whitelist and "+" for the blacklist, or always assume "+". I
think it's least confusing to just require the sign.)
(The score threshold range is arbitrary.)
- postscreen_dnsxl_whitelist_score (default -1); a "pass"
threshold for the total of the client's dnsxl points. Specify
a value in the range [-999~+999] inclusive. The sign must be
specified. Clients scoring at or BELOW this value trigger the
postscreen_dnsxl_whitelist_action. Clients scoring greater
than postscreen_dnsxl_whitelist_score, but less than
postscreen_dnsxl_blacklist_score continue with postscreen
analysis for disposition.
Example:
postscreen_dnsxl_whitelist_score = -5
- postscreen_dnsxl_blacklist_score (default=1) a "drop"
threshold for the total of the client's dnsxl points. Specify
a value in the range [-999~+999] inclusive. The sign must be
specified. Clients scoring at or ABOVE this value trigger the
postscreen_dnsxl_blacklist_action. Clients scoring greater
than postscreen_dnsxl_whitelist_score, but less than
postscreen_dnsxl_blacklist_score continue with postscreen
analysis for disposition.
Example:
postscreen_dnsxl_blacklist_score = +5
- postscreen_dnsxl_whitelist_action (default continue); the
action postscreen takes when a client matches the
postscreen_dnsxl_whitelist_score.
Specify one of:
continue; perform additional postscreen tests to determine
disposition.
pass; exempt the client from further postscreen tests and pass
it to a real SMTP server process
- postscreen_dnsxl_blacklist_action (default continue); the
action postscreen takes when a client exceeds the
postscreen_dnsxl_blacklist_score.
Specify one of:
continue; perform additional postscreen tests to determine
disposition.
drop; drop the connection with a 521 SMTP reply
(next two items are for future expansion if hostnames are
available)
- postscreen_dnsbl_hostname_sites (default empty); A comma
separated list of rhsbl hostname blacklist sites using the
unverified client hostname with optional result filter and
optional weight. When the unverified reverse client hostname
is listed with an A record matching the result filter, add
{weight} points (default 1) to the client dnsxl score. If no
result filter is specified, add {weight} points (default 1) to
the client dnsxl score if any A record is listed. If multiple
A records are found, {weight} will only be added once.
Specify one or more rhsbl sites as:
rhsbl_site[=d.d.d.d][*N]
where rhsbl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. A range in
the result filter may be specified within brackets in place of
an octet. Multiple ranges or single values may be separated
by commas within the brackets. The weight may be specified as
the character "*" followed by a value in the range [0~99]
inclusive.
Examples:
postscreen_dnsbl_hostname_sites =
dnsbl_site1,
dnsbl_site2=127.0.[0-5,22,128-255].2*5,
dnsbl_site3=*6
- postscreen_dnswl_hostname_sites (default empty); A comma
separated list of rhswl hostname whitelist sites using the
FCrDNS verified client hostname with optional result filter
and optional weight. When the client hostname is listed with
an A record matching the result filter, subtract {weight}
points (default 1) from the client dnsxl score. If no result
filter is specified, subtract {weight} points (default 1) from
the client dnsxl score if any A record is listed. If multiple
A records are found, {weight} will only be subtracted once.
Specify one or more rhswl sites as:
rhswl_site[=d.d.d.d][*N]
where rhswl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. A range in
the result filter may be specified within brackets in place of
an octet. Multiple ranges or single values may be separated
by commas within the brackets. The weight may be specified as
the character "*" followed by a value in the range [0~99]
inclusive.
Examples:
postscreen_dnswl_hostname_sites =
dnswl_site1,
dnswl_site2=127.0.[0-5,22,128-255].2*5,
dnswl_site3=*6
-- Noel Jones
