[spamdyke-users] Spamdyke relay check ignored when rDNS whitelist keyword is found

Tue, 05 May 2009 02:49:19 -0700 

Hi,

I already sent this to Sam, but I'd like your opinions on this too.
I've setup a machine configured with spamdyke 4.0.10, which will
filter out direct SMTP connections when special keywords are found in

ip-in-rdns-keyword-blacklist-file=/var/spamdyke/blacklist_keywords

(i.e.
cable
dsl
xdsl
dynamic
)

however, I'd like to limit this filter and not cut out dynamic IP if
a keyword is found in

ip-in-rdns-keyword-whitelist-file=/var/spamdyke/whitelist_keywords

(i.e.
static
)

Plus, I have setup spamdyke to always check relay with

relay-level=normal

What happens is that if keyword is found in rDNS whitelist, this will
turn out the machine into an open relay, because relay check is skipped.

Indeed the filter sequence is:

         filter_level

         /* Post-connect filters */
         filter_rdns_missing
         filter_ip_in_rdns_cc
         filter_rdns_whitelist

(STATE is DO NOT FILTER at this point)
         filter_rdns_whitelist_file
         filter_rdns_whitelist_dir
         filter_rdns_blacklist
         filter_rdns_blacklist_file
         filter_rdns_blacklist_dir
         filter_ip_whitelist
         filter_ip_blacklist
         filter_ip_in_rdns_whitelist
         filter_ip_in_rdns_blacklist
         filter_rdns_resolve
         filter_dns_rwl
         filter_dns_rhswl
         filter_dns_rbl
         filter_dns_rhsbl
         filter_earlytalker

         /* Post-MAIL FROM filters */
         filter_sender_whitelist
         filter_sender_rhswl
         filter_sender_blacklist
         filter_sender_rhsbl
         filter_sender_no_mx

         filter_recipient_whitelist
        
         filter_recipient_relay
(which is SKIPPED)

The point is:  recipient_relay filter should be skipped only if sender is 
whitelisted,
or ip is whitelisted, when relay-check is NORMAL.

We'd need another inbetween state which will separate decision based on 
connection phase
(which involves all /* Post-connect filters */ ), from the /* Post-MAIL 
FROM filters */

Or, maybe, we'd need another state for relay-check, to ignore whitelisted 
IP and check
for SMTP AUTHenticated sessions before allowing the connection.

Maybe I'm misleading the meaning of rDNS whitelist, but I do not see it at 
the same
level of a Whitelist IP to skip relay check.

Thank you for your opinions.

Mirko

_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to