On 8/25/2010 6:20 PM, Rob Foehl wrote:
On Wed, 25 Aug 2010, Noel Jones wrote:
The user interface would be familiar to anyone using rbl
checks. Sample documentation under the appropriate
- permit_dnswl_client dnswl_domain=d.d.d.d
Accept the request when the reversed client IP network
address is listed with an A record of d.d.d.d under
dnswl_domain. If no =d.d.d.d is given, accept the request
with any A record under dnswl_domain. For safety, only
authorized destinations are accepted, see
- permit_rhswl_client rhswl_domain=d.d.d.d
Accept the request when the client hostname is listed with
an A record of d.d.d.d under rhswl_domain. If no =d.d.d.d is
given, accept the request with any A record under
rhswl_domain. For safety, only authorized destinations are
accepted, see permit_auth_destination.
Seems like this one would be very easy to use, and fairly
easy to implement.
This sounds like a reasonable proposal, and I would argue that
maintaining parity with existing smtpd features is important,
whether or not postscreen ever grows an analogous mechanism.
Unconditionally returning permit_auth_destination should make
this suitably safe, despite the simple interface.
Although most discussion has been about postscreen, I'm still
very interested in dns whitelisting in smtpd.
Once we (collectively) get the postscreen dnsxl scoring user
interface sorted out, it should be possible to adapt the
framework for smtpd without reinventing the wheel.
Then there would be a unified interface for dnsxl scoring.
As it happens, I have a partial implementation of such a
feature that I was playing with a few years ago, and could
probably be coerced into updating it for current releases and
posting a patch, if there is further consensus that this is
the desired interface and/or mechanism.
The simple interface proposed above should be much easier to
implement (I'll bet a lot of existing rbl code could be
reused), but let's shoot for Mars right now. If we have to
settle for the Moon later, that's not so bad.
-- Noel Jones