[courier-users] Whitelist filtering

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Whitelist filtering may require a review of filters settings.  For one 
thing, there is a chance to save some DNS lookups and SA filtering. 
In addition, global filters may need to take whiteliting info into 
account.

IME, rejections after spamhaus.org are permanently on top of my _SMTP 
errors by type_ report, overreaching SPF by one order of magnitude. 
Now, they suggest that

   If a sender is on the Spamhaus Whitelist it is pointless and a
   waste of resources to then check to see if the IP is on any
   Spamhaus blacklist such as Zen, because it can not be. If the IP is
   on a third party blacklist you would need to decide whether the
   third party blacklist is right or to give Spamhaus the benefit of
   the doubt. That decision comes down to you alone.
                       http://www.spamhauswhitelist.com/en/techfaq.php

("They" is not the same as spamhaus.org; however, the DNS zones to 
look up are subdomains of spamhaus.org.)

Courier tcpd already has a complicated syntax for this.  DNS lookups 
are defined by "-block" and set an environment variable.  The 
variable's name can be the predefined "BLOCK", any name known by an 
rcptfilter, or it can be mentioned in a "-drop" switch.  See DNS 
ACCESS LISTS http://www.courier-mta.org/couriertcpd.html#id539502

I think we may additionally need two things:

1. A mechanism to skip performing some lookups in case some other ones 
already succeeded.  Currently, only if a given variable is already 
set, the corresponding lookup is skipped.

2. A mechanism to pass (some of) these variables to global filters. 
(Values /from/ global filters can be set via header fields, but 
variable-passing can also be devised to work both ways.)

                                 - . -

Spamhaus have announced their whitelist as the dawn of a new era.  In 
facts, the IPv4 is on the ropes and DNSBL technology cannot go to IPv6 
as-is. (Let me quote just one phrase from John Levine, 26 Aug 2009:

   At one address per millisecond, it would take 500 million years to
   run through a /64.
      http://www.ietf.org/mail-archive/web/asrg/current/msg15743.html)

Domain names are not more manageable in size than that.  Thus, IPv6 
implies the end of blacklisting as we know it. Spamhaus has announced 
both an IPv4 whitelist and a domain name one, the SWL and DWL 
respectively.  As the latter implies DKIM, I'll try and fit the 
relevant lookup within zdkimfilter.

-- 