Re: Spamhaus DWL in postfix
OT, sorry, just to finish up this thread: myself: I'm working on a SpamAssassin plugin to implement Spamhaus DWL (and other 'SA tag'- based DNS lookups). Done. Available in the SpamAssassin SVN trunk (on its way to become 3.4.0): https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6518 Also the IPv6 DNSWL/DNSBL queries according to RFC 5782 are there now: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6519 Mark
Re: Spamhaus DWL in postfix
Christian Roessner: I am interested in including the DWL feature from SpamHaus into postfix. Wietse: DWL requires content external content inspection. For example, a Milter, or a before-or-after-queue SMTP-based filter. Either approach can be used to verify the DKIM signature and the VBR header. I'm working on a SpamAssassin plugin to implement Spamhaus DWL (and other 'SA tag'- based DNS lookups). It is a bit more tricky than it seems at first glance. Coupled with amavisd-new 2.7.0 in a pre-queue proxy mode this could accomplish the job (i.e. meeting Spamhaus DWL requirements, not a general VBR implementation). That's great to hear :) My only problem is that I think that there needs to be something inside postfix that prevents postfix from rejecting a mail, beofre it was checked against DWL/DKIM. Postfix must not reject CONNECT, HELO, MAIL FROM, RCPT TO or DATA. Instead, any REJECT must happen AFTER the before-queue filter has examined the complete envelope and message content. Therefore, the before-queue filter knows that the mail should be rejected. Therefore, the before-queue filter can reject the mail at END-OF-DATA time, and no change to Postfix is needed. Wietse
Re: Spamhaus DWL in postfix
Because my guess is that I have to use some kind of a pre-queue-milter to check for the VBR-Header and if it exists doing some DWL-DNS lookup. Please be careful. The mere existence of a VBR-Info header is insufficient; before performing any DWL lookups, be sure to use a suitable validation mechanism as described in RFC 5518. I think implementing this is not as easy, as I hoped in the beginning. Are there people here, who would like to start a project together with me? Just a couple of thoughts: - Language: Python or C (because I can't do Perl) - Good design; trying good OOP - Doing theory and implementing all protocols necessary (VBR, ...) - Using GIT - ... I think that I alone can not do this. But I have seen, there are several other VBR using websites, so this really could be interesting. Yet I do not know, how to deal with the DKIM verification, as of writing this, I use amavis for signing/verifying. So one question is, if DKIM verify for VBR must be done in the milter, too, or if we can find another mechanism. If people are interested in such a project, I would open extra mailing lists. Feedback is welcome Christian --- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com PGP.sig Description: Signierter Teil der Nachricht
Re: Spamhaus DWL in postfix
On Mon, 2010-11-15 at 10:38:22 +0100, Christian Roessner wrote: I think that I alone can not do this. But I have seen, there are several other VBR using websites, so this really could be interesting. Yet I do not know, how to deal with the DKIM verification, as of writing this, I use amavis for signing/verifying. So one question is, if DKIM verify for VBR must be done in the milter, too, or if we can find another mechanism. If you already use amavisd-new for DKIM verification, then use a custom hook that, conditional on a verified DKIM signature, does the VBR checks and lookups (using Net::DNS, perhaps). If you choose to go this route, please move the discussion to the amavisd-new mailing list. -- Sahil Tandon sa...@freebsd.org
Re: Spamhaus DWL in postfix
Christian Roessner: I am interested in including the DWL feature from SpamHaus into postfix. Wietse: DWL requires content external content inspection. For example, a Milter, or a before-or-after-queue SMTP-based filter. Either approach can be used to verify the DKIM signature and the VBR header. I'm working on a SpamAssassin plugin to implement Spamhaus DWL (and other 'SA tag'- based DNS lookups). It is a bit more tricky than it seems at first glance. Coupled with amavisd-new 2.7.0 in a pre-queue proxy mode this could accomplish the job (i.e. meeting Spamhaus DWL requirements, not a general VBR implementation). Mark
Re: Spamhaus DWL in postfix
I am interested in including the DWL feature from SpamHaus into postfix. Wietse: DWL requires content external content inspection. For example, a Milter, or a before-or-after-queue SMTP-based filter. Either approach can be used to verify the DKIM signature and the VBR header. I'm working on a SpamAssassin plugin to implement Spamhaus DWL (and other 'SA tag'- based DNS lookups). It is a bit more tricky than it seems at first glance. Coupled with amavisd-new 2.7.0 in a pre-queue proxy mode this could accomplish the job (i.e. meeting Spamhaus DWL requirements, not a general VBR implementation). That's great to hear :) My only problem is that I think that there needs to be something inside postfix that prevents postfix from rejecting a mail, beofre it was checked against DWL/DKIM. So this is, where I think the milter comes and where the smtpd_restrictions need to be shifted to smtpd_data_restrictions. Could it mean that it might be enough to run amavis not as smtpd_proxy_filter, but as milter; maybe? Could this be a solution? Thanks Christian PGP.sig Description: Signierter Teil der Nachricht
Re: Spamhaus DWL in postfix
On Sun, 2010-11-14 at 13:24:59 +0100, Christian Roessner wrote: Because my guess is that I have to use some kind of a pre-queue-milter to check for the VBR-Header and if it exists doing some DWL-DNS lookup. Please be careful. The mere existence of a VBR-Info header is insufficient; before performing any DWL lookups, be sure to use a suitable validation mechanism as described in RFC 5518. -- Sahil Tandon sa...@freebsd.org