[courier-users] Whitelist filtering
Brought to you by:
mrsam
From: Alessandro V. <ve...@ta...> - 2010-09-27 12:01:41
|
Whitelist filtering may require a review of filters settings. For one thing, there is a chance to save some DNS lookups and SA filtering. In addition, global filters may need to take whiteliting info into account. IME, rejections after spamhaus.org are permanently on top of my _SMTP errors by type_ report, overreaching SPF by one order of magnitude. Now, they suggest that If a sender is on the Spamhaus Whitelist it is pointless and a waste of resources to then check to see if the IP is on any Spamhaus blacklist such as Zen, because it can not be. If the IP is on a third party blacklist you would need to decide whether the third party blacklist is right or to give Spamhaus the benefit of the doubt. That decision comes down to you alone. http://www.spamhauswhitelist.com/en/techfaq.php ("They" is not the same as spamhaus.org; however, the DNS zones to look up are subdomains of spamhaus.org.) Courier tcpd already has a complicated syntax for this. DNS lookups are defined by "-block" and set an environment variable. The variable's name can be the predefined "BLOCK", any name known by an rcptfilter, or it can be mentioned in a "-drop" switch. See DNS ACCESS LISTS http://www.courier-mta.org/couriertcpd.html#id539502 I think we may additionally need two things: 1. A mechanism to skip performing some lookups in case some other ones already succeeded. Currently, only if a given variable is already set, the corresponding lookup is skipped. 2. A mechanism to pass (some of) these variables to global filters. (Values /from/ global filters can be set via header fields, but variable-passing can also be devised to work both ways.) - . - Spamhaus have announced their whitelist as the dawn of a new era. In facts, the IPv4 is on the ropes and DNSBL technology cannot go to IPv6 as-is. (Let me quote just one phrase from John Levine, 26 Aug 2009: At one address per millisecond, it would take 500 million years to run through a /64. http://www.ietf.org/mail-archive/web/asrg/current/msg15743.html) Domain names are not more manageable in size than that. Thus, IPv6 implies the end of blacklisting as we know it. Spamhaus has announced both an IPv4 whitelist and a domain name one, the SWL and DWL respectively. As the latter implies DKIM, I'll try and fit the relevant lookup within zdkimfilter. -- |