Re: [Sqlgrey-users] Patch: Configurable rejection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Le Mercredi 16 F=E9vrier 2005 16:15, Michel Bouissou a =E9crit :
>
> [...] a patch that adds to SQLgrey the choice of rejecting a
> message immediately (with 450) or to delay rejection (defer_if_permit).
>
> The choices can be different for a "first time rejection" or an "early
> reconnection".
>
> It seems to work plain good here, feedback welcome.

It shows very efficient on an overall MTA performance standpoint : It all=
ows=20
me to organize my Postfix restrictions in the following order (partial=20
example):

- Local validation checks, such as:
reject_non_fqdn_recipient, reject_multi_recipient_bounce,
reject_non_fqdn_sender, etc.

- Local tables checks, such as:
check_client_access hash:/etc/postfix/combined_blacklist,
check_helo_access hash:/etc/postfix/combined_blacklist,
check_sender_access hash:/etc/postfix/combined_blacklist,
check_sender_access hash:/etc/postfix/sender_checks,

- # SQLgrey
check_policy_service inet:127.0.0.1:2501,
	=3D> With
		reject_first_attempt =3D immed
		reject_early_reconnect =3D delay

- "Slower" network checks, such as external DNSBL blacklists, SPF...
reject_unknown_sender_domain,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client relays.ordb.org,
reject_spf_invalid_sender,

- Sender existence callback check:
reject_unverified_sender,

[...]

The fastest and less expensive checks being performed first, we try to re=
ject=20
unwanted messages at the lowest "cost".

SQLgrey is called _before_ performing slow network checks, which by the w=
ay=20
saves load onto external DNSBLs, which is nice for them.

SQLgrey is configured to reject immediately first connection attempts wit=
hout=20
going further, so most viruses / non-retrying spams will be rejected ther=
e=20
without bothering querying blacklists or checking sender existence.

In case of "early reconnections", we assume that if the same message came=
 back=20
once, it is probable that it will come back again. So SQLgrey now rejects=
=20
with delayed rejection, which allows checking blacklists (and refusing th=
e=20
message with a permanent 5xx code if the sending host is blacklisted), an=
d=20
performing sender existence callback check.

Now that we have this information (in DNS cache and Postfix address verif=
y=20
DB), when the message comes back once more after greylisting time is expi=
red,=20
it can be quickly and efficiently accepted.
     =20
Comments ? =20

--=20
Michel Bouissou <mi...@bo...> OpenPGP ID 0xDDE8AC6E