No. DNS based whitelisting does not belong in there. because it is slow and DOS'able
spamd is designed to be high speed low drag. If you want to do a DNS based whitelist, write a little co-thing that spits one into a file or into your nospamd table that then spamd *does not even see*. In short *spamd* is the wrong place to do this. put your dns based whitelist in a table periodically On Tue, Mar 29, 2016 at 1:11 PM, Christopher Zimmermann <[email protected]> wrote: > Hi, > > I want to use a DNS white list to skip greylisting delays for known > good addresses, which would pass the greylist anyway. > To do this with spamd and OpenSMTPd I wrote a prototype which intercepts > the initial SYN packet from any non-whitelisted ip. It then queries DNS > whitelists and on any positive reply it whitelists the ip. The SYN > packet is dropped. Any sane smtp server will very shortly resend the > SYN and get through to OpenSMTPd. > This program is only a proof-of-concept. I think the same functionality > could be integrated into spamd or as transparent relay into relayd. Is > this a sensible approach? > > Christopher > > > On 2016-03-15 Stuart Henderson <[email protected]> wrote: >> On 2016/03/15 12:55, Craig Skinner wrote: >> > Generally, everything has changed from file feeds to DNS. >> >> Yep, because for the more actively maintained ones 1) new entries show >> up more quickly than any sane rsync interval, this is quite important >> for good blocking these days 2) DNS is less resource intensive and >> more easily distributed than rsync, and 3) importantly for the rbl >> providers, it gives additional input to them about new mail sources >> (if an rbl suddenly starts seeing queries from all over the world for >> a previously unseen address, it's probably worth investigation - I am >> sure this is why some of the commercial antispam operators provide >> free DNS-based lookups for smaller orgs). >> >> A more flexible approach would be to skip the PF table integration >> completely and do DNS lookups in spamd (or, uh, relayd, or something >> new) and based on that it could choose whether to tarpit, greylist or >> transparent-forward the connection to the real mail server. This >> would also give a way to use dnswl.org's whitelist to avoid >> greylisting for those hosts where it just doesn't work well (gmail, >> office365 etc). >> > > > > -- > http://gmerlin.de > OpenPGP: http://gmerlin.de/christopher.pub > 2779 7F73 44FD 0736 B67A C410 69EC 7922 34B4 2566
