subject:"Re\: simple greylisting by geoip\? milter or policy server\?"

Re: simple greylisting by geoip? milter or policy server?

2016-06-15 Thread Noel Jones

On 6/14/2016 7:21 PM, Allen Coates wrote:
> 
> 
> On 14/06/16 23:31, list...@tutanota.com wrote:
>>
>> 14. Jun 2016 15:01 by njo...@megan.vbhcs.org
>> :
>>
>> Is there some way to integrate the GeoIP dbs with postscreen?
>>
>>
>> No, at least not easily.
>>
>>  
>>
>> Ok.  That would be a nice function to have, in my own opinion.
>>
> 
> FWIW -  my postscreen_dnsbl_sites contains the lines:-
> 
> zz.countries.nerd.dk,
> zz.countries.nerd.dk=127.0.3.58*-1,
> 
> The first line ALWAYS returns  a country code (for analysis), and also
> scores 1 "blacklist point" which is
> recinded by the second line if the remote host is in my own country (the UK)
> 
> You can also interrogate the site by country, eg   "host
> 4.3.2.1.uk.countries.nerd.dk", which will only return a code if the ip
> address belongs to the uk...
> 
> It might give you another "angle" on processing by country
> 
> Regards
> 
> Allen C
> 


Clever.  The OP can arrange for his own country to have a negative
score exceeding postscreen_dnsbl_whitelist_threshold.  That will
effectively only delay foreign mail with deep inspection.


  -- Noel Jones

Re: simple greylisting by geoip? milter or policy server?

2016-06-15 Thread Wietse Venema

list...@tutanota.com:
> 
> 15. Jun 2016 02:55 by wie...@porcupine.org:
> 
> > list...@tutanota.com> :
> >> > As for greylisting, you could use postscreen's deep protocol tests
> >> > instead - those tests require that clients disconnect and come back
> >> > before they can send mail.
> >>
> >> I do not want to delay all the inbound mail.
> >
> > You are not delaying all email. Deep protocol tests results
> > are cached for 30 days.
> 
> Ok. I think I have to correct the requirement.
> 
>   I think I understand then that every NEW mail that is not having
>   already been cached by a deep protocol test will be delayed??
>   At least the one time?

Nope. The caching is by CLIENT IP ADDRESS not EMAIL.

These details matter. Computers are like that.

Wietse

Re: simple greylisting by geoip? milter or policy server?

2016-06-15 Thread lists42


15. Jun 2016 02:55 by wie...@porcupine.org:

> list...@tutanota.com> :
>> > As for greylisting, you could use postscreen's deep protocol tests
>> > instead - those tests require that clients disconnect and come back
>> > before they can send mail.
>>
>> I do not want to delay all the inbound mail.
>
> You are not delaying all email. Deep protocol tests results
> are cached for 30 days.
>




Ok. I think I have to correct the requirement.




  I think I understand then that every NEW mail that is not having already 
been cached by a deep protocol test will be delayed?  At least the one time?




I cannot tolerate that for even new mails.  I'm chasing the goal of only 
delaying/greylisting ever the mails from a list of countries.

Re: simple greylisting by geoip? milter or policy server?

2016-06-15 Thread lists42



14. Jun 2016 22:49 by i...@markusbenning.de:

> may be mtpolicyd is an option for you:
>
> https://www.mtpolicyd.org
>
> It is a modular policyd and ships with a plugin for geoip.
> It works like this:
>




This looks like another option to milter-greylist.




I notice that it's different because it is a policyd daemon instead a milter.




If I am only using the geoip-greylisting capability is there a better reason 
to use one over the other?




It looks to be that milter-greylist maybe a lighter weight solution.

Re: simple greylisting by geoip? milter or policy server?

2016-06-15 Thread Wietse Venema

list...@tutanota.com:
> > As for greylisting, you could use postscreen's deep protocol tests
> > instead - those tests require that clients disconnect and come back
> > before they can send mail.
> 
> I do not want to delay all the inbound mail.

You are not delaying all email. Deep protocol tests results
are cached for 30 days.

Wietse

Re: simple greylisting by geoip? milter or policy server?

2016-06-15 Thread Tom Hendrikx



On 15-06-16 02:21, Allen Coates wrote:
> 
> 
> On 14/06/16 23:31, list...@tutanota.com wrote:
>>
>> 14. Jun 2016 15:01 by njo...@megan.vbhcs.org
>> :
>>
>> Is there some way to integrate the GeoIP dbs with postscreen?
>>
>>
>> No, at least not easily.
>>
>>  
>>
>> Ok.  That would be a nice function to have, in my own opinion.
>>
> 
> FWIW -  my postscreen_dnsbl_sites contains the lines:-
> 
> zz.countries.nerd.dk,
> zz.countries.nerd.dk=127.0.3.58*-1,
> 
> The first line ALWAYS returns  a country code (for analysis), and also
> scores 1 "blacklist point" which is
> recinded by the second line if the remote host is in my own country (the UK)
> 
> You can also interrogate the site by country, eg   "host
> 4.3.2.1.uk.countries.nerd.dk", which will only return a code if the ip
> address belongs to the uk...
> 
> It might give you another "angle" on processing by country
> 

You could also convert the cidr tables from
http://www.ipdeny.com/ipblocks/ into check_client_access rules that
whitelist some countries from greylisting.

Kind regards,
Tom

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread Benning, Markus


On 2016-06-14 02:28, list...@tutanota.com wrote:

I am considering the installation of Greylisting with Postfix.

I want it only for one condition, to greylist mail originating from
certain countries.


Hi,

may be mtpolicyd is an option for you:

https://www.mtpolicyd.org

It is a modular policyd and ships with a plugin for geoip.
It works like this:

  
module = "GeoIPLookup"
database = "/usr/share/GeoIP/GeoIP.dat"
  
  
module = "GeoIPAction"
result_from = "geoip"
country_codes = "DE,AT,CH,FR,IT"
mode = passive
score = -1
  
  
module = "GeoIPAction"
result_from = "geoip"
country_codes = "RU,UA,CN,IN"
mode = passive
score = 5
  

Instead of a score you could also set actions:

  
module = "GeoIPAction"
result_from = "geoip"
country_codes = "AQ"
mode = "reject"
reject_message = "too cold"
  

Theres also a Greylisting plugin.
You can combine them for conditional greylisting:

  
module = "ScoreAction"
threshold = 5

  module = "Greylist"
  score = -5
  mode = "passive"
  # activating the autowl will require a SQL database
  use_autowl = 0

  


Markus

--
https://markusbenning.de/

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread Allen Coates



On 14/06/16 23:31, list...@tutanota.com wrote:
>
> 14. Jun 2016 15:01 by njo...@megan.vbhcs.org
> :
>
> Is there some way to integrate the GeoIP dbs with postscreen?
>
>
> No, at least not easily.
>
>  
>
> Ok.  That would be a nice function to have, in my own opinion.
>

FWIW -  my postscreen_dnsbl_sites contains the lines:-

zz.countries.nerd.dk,
zz.countries.nerd.dk=127.0.3.58*-1,

The first line ALWAYS returns  a country code (for analysis), and also
scores 1 "blacklist point" which is
recinded by the second line if the remote host is in my own country (the UK)

You can also interrogate the site by country, eg   "host
4.3.2.1.uk.countries.nerd.dk", which will only return a code if the ip
address belongs to the uk...

It might give you another "angle" on processing by country

Regards

Allen C




> Or for that case is the milter-greylist idea better?
> Yes, that will work fine for selective greylisting.
>
>
> I've been looking at this and am uncertain that it helps.
>
>
> Because the milter will have to be after postscreen right?  So The
> traffic from blocked countries will still get past the postscreen stage?
>
>
> I guess that is better than all the way through to delivery in any case.
>
>
>

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread lists42


14. Jun 2016 15:01 by njo...@megan.vbhcs.org:

>> Is there some way to integrate the GeoIP dbs with postscreen?
>
> No, at least not easily.

 

Ok.  That would be a nice function to have, in my own opinion.





> Or for that case is the milter-greylist idea better?
> Yes, that will work fine for selective greylisting.
>




I've been looking at this and am uncertain that it helps.




Because the milter will have to be after postscreen right?  So The traffic 
from blocked countries will still get past the postscreen stage?




I guess that is better than all the way through to delivery in any case.

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread Michael J Wise

> On 6/14/2016 4:06 PM, list...@tutanota.com wrote:
>>
>> Is there some way to integrate the GeoIP dbs with postscreen?
>
> No, at least not easily.

I would think it would be a Simple Matter of Programming, given a list of
the countries and languages you trusted, to generate a list of all the
ones you didn't. Would require a little binary math, but the list
shouldn't change that often.

Or, it could be a lookup of some sort.

>> Or for that case is the milter-greylist idea better?
>
> Yes, that will work fine for selective greylisting.

Aloha mai Nai`a.
-- 
" So this is how Liberty dies ...  http://kapu.net/~mjwise/
" To Thunderous Applause.

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread Noel Jones

On 6/14/2016 4:06 PM, list...@tutanota.com wrote:
> 
> Is there some way to integrate the GeoIP dbs with postscreen?

No, at least not easily.

> 
> Or for that case is the milter-greylist idea better?

Yes, that will work fine for selective greylisting.


  -- Noel Jones

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread lists42


13. Jun 2016 17:54 by wie...@porcupine.org:

> list...@tutanota.com> :
>> But then I also read that that 'Policy delegation is now the preferred 
>> method
>> for adding policies to Postfix.'
>
> Milter support was added later, because some things can't be done
> with policy servers.




Ok.  I was'not sure about the differences or benefits.




> As for greylisting, you could use postscreen's deep protocol tests
> instead - those tests require that clients disconnect and come back
> before they can send mail.
>




I do not want to delay all the inbound mail.





I didn't understand that I could delay only some countries with the deep 
protocol tests, using for example the GeoIP databases.



Is there some way to integrate the GeoIP dbs with postscreen?

Or for that case is the milter-greylist idea better?

Re: simple greylisting by geoip? milter or policy server?

2016-06-13 Thread Wietse Venema

list...@tutanota.com:
> But then I also read that that 'Policy delegation is now the preferred method 
> for adding policies to Postfix.'

Milter support was added later, because some things can't be done
with policy servers. 

As for greylisting, you could use postscreen's deep protocol tests
instead - those tests require that clients disconnect and come back
before they can send mail.

Wietse

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

Re: simple greylisting by geoip? milter or policy server?

13 matches

Site Navigation

Mail list logo

Footer information