Actually, this behavior is by design. When a connection is whitelisted, it bypasses _all_ filters, full stop. There's no such thing as a "partially whitelisted" connection, which seems to be what you're expecting.
If I understand your configuration correctly, you want to block connections from e.g. 11-22-33-44.cable.example.com AND you want connections from e.g. 11-22-33-44.static.cable.example.com to pass the keyword filter yet still be subject to all other filters. Unfortunately, that kind of configuration isn't possible in the current version. If you're feeling adventurous, it shouldn't be too hard to hack that kind of thing into the code -- I would add a new option that allows you to specify a file full of "skip" keywords. Then change filter_ip_in_rdns_blacklist() in filter.c to check the "skip" file before checking the blacklist file. Good luck! -- Sam Clippinger Mirko Buffoni wrote: > Hi, > > I already sent this to Sam, but I'd like your opinions on this too. > I've setup a machine configured with spamdyke 4.0.10, which will > filter out direct SMTP connections when special keywords are found in > > ip-in-rdns-keyword-blacklist-file=/var/spamdyke/blacklist_keywords > > (i.e. > cable > dsl > xdsl > dynamic > ) > > however, I'd like to limit this filter and not cut out dynamic IP if > a keyword is found in > > ip-in-rdns-keyword-whitelist-file=/var/spamdyke/whitelist_keywords > > (i.e. > static > ) > > Plus, I have setup spamdyke to always check relay with > > relay-level=normal > > What happens is that if keyword is found in rDNS whitelist, this will > turn out the machine into an open relay, because relay check is skipped. > > Indeed the filter sequence is: > > filter_level > > /* Post-connect filters */ > filter_rdns_missing > filter_ip_in_rdns_cc > filter_rdns_whitelist > > (STATE is DO NOT FILTER at this point) > filter_rdns_whitelist_file > filter_rdns_whitelist_dir > filter_rdns_blacklist > filter_rdns_blacklist_file > filter_rdns_blacklist_dir > filter_ip_whitelist > filter_ip_blacklist > filter_ip_in_rdns_whitelist > filter_ip_in_rdns_blacklist > filter_rdns_resolve > filter_dns_rwl > filter_dns_rhswl > filter_dns_rbl > filter_dns_rhsbl > filter_earlytalker > > /* Post-MAIL FROM filters */ > filter_sender_whitelist > filter_sender_rhswl > filter_sender_blacklist > filter_sender_rhsbl > filter_sender_no_mx > > filter_recipient_whitelist > > filter_recipient_relay > (which is SKIPPED) > > The point is: recipient_relay filter should be skipped only if sender is > whitelisted, > or ip is whitelisted, when relay-check is NORMAL. > > We'd need another inbetween state which will separate decision based on > connection phase > (which involves all /* Post-connect filters */ ), from the /* Post-MAIL > FROM filters */ > > Or, maybe, we'd need another state for relay-check, to ignore whitelisted > IP and check > for SMTP AUTHenticated sessions before allowing the connection. > > Maybe I'm misleading the meaning of rDNS whitelist, but I do not see it at > the same > level of a Whitelist IP to skip relay check. > > Thank you for your opinions. > > Mirko > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
