sqlgrey-users

[Sqlgrey-users] whitelist question

[John S. <ke...@gm...>]

Hello there,

The problem i have, was previously discussed here by Santos and Dave : =
https://sourceforge.net/mailarchive/message.php?msg_id=3D14790517. =
Unfortunately I didn't find the answer.

So, can someone please say how can I whitelist all the mails comming =
from my country?=20

The file clients_fqdn_whitelist.local has a single line:
            *.ro

Note: since I created the clients_fqdn_whitelist.local file above, a lot =
of mails comming from .ro was whitelisted.... but NOT all of them, there =
are still mails rejected and greylisted:
[root@nst log]# egrep "Feb 14.*licitatie" maillog
Feb 14 16:40:40 nst sqlgrey: grey: new: 194.102.45.168(194.102.45.168), =
co...@e-... -> axx...@tx...
Feb 14 16:40:40 nst postfix/smtpd[6389]: NOQUEUE: reject: RCPT from =
unknown[194.102.45.168]: 450 <unknown[194.102.45.168]>: Client host =
rejected: Greylisted for 3 minutes; from=3D<co...@e-...> =
to=3D<axx...@tx...> proto=3DESMTP =
helo=3D<mail.seap.e-licitatie.ro>

Thank you in advance.

Re: [Sqlgrey-users] whitelist question

[Michael S. <Mic...@lr...>]

On Fri, 16 Feb 2007, John Smith wrote:

> Hello there,
>
> The problem i have, was previously discussed here by Santos and Dave :
> https://sourceforge.net/mailarchive/message.php?msg_id=14790517.
> Unfortunately I didn't find the answer.
>
> So, can someone please say how can I whitelist all the mails comming
> from my country?
>
> The file clients_fqdn_whitelist.local has a single line:
>             *.ro
>
> Note: since I created the clients_fqdn_whitelist.local file above, a lot
> of mails comming from .ro was whitelisted.... but NOT all of them, there
> are still mails rejected and greylisted:
> [root@nst log]# egrep "Feb 14.*licitatie" maillog
> Feb 14 16:40:40 nst sqlgrey: grey: new: 194.102.45.168(194.102.45.168),
> co...@e-... -> axx...@tx...
> Feb 14 16:40:40 nst postfix/smtpd[6389]: NOQUEUE: reject: RCPT from
> unknown[194.102.45.168]: 450 <unknown[194.102.45.168]>: Client host
> rejected: Greylisted for 3 minutes; from=<co...@e-...>
> to=<axx...@tx...> proto=ESMTP helo=<mail.seap.e-licitatie.ro>
>
> Thank you in advance.

Hi John Smith,

*.ro only works for whitelisting if an ip address has a reverse mapping
and the nameservers can be reached and answer in time.

The 3 nameservers for 194.102.45.168 (dig +norec 45.102.194.in-addr.arpa.)

;; AUTHORITY SECTION:
45.102.194.in-addr.arpa.  11h42m21s IN NS  ns.warpnet.ro.
45.102.194.in-addr.arpa.  11h42m21s IN NS  ns1.usv.ro.
45.102.194.in-addr.arpa.  11h42m21s IN NS  ns1.assist.ro.

do not answer queries at the moment:

dig +norecur -x 194.102.45.168 @ns1.usv.ro

; <<>> DiG 8.3 <<>> +norecur -x @ns1.usv.ro
; (1 server found)
;; res options: init defnam dnsrch
;; res_nsend to server ns1.usv.ro  80.96.120.1: Connection timed out

dig +norecur -x 194.102.45.168 @ns.warpnet.ro

; <<>> DiG 8.3 <<>> +norecur -x @ns.warpnet.ro
; (1 server found)
;; res options: init defnam dnsrch
;; res_nsend to server ns.warpnet.ro  217.156.25.1: Connection refused

dig +norecur -x 194.102.45.168 @ns1.assist.ro

; <<>> DiG 8.3 <<>> +norecur -x @ns1.assist.ro
; (1 server found)
;; res options: init defnam dnsrch
;; res_nsend to server ns1.assist.ro  194.102.130.1: Connection timed out

Therefore no reverse mapping exists and whitelisting does not work for
such ip addresses.

Michael Storz
--
======================================================
Leibniz-Rechenzentrum      |    <mailto:St...@lr...>
Boltzmannstr. 1            |    Fax: +49 89 35831-9700
85748 Garching / Germany   |    Tel: +49 89 35831-8840
======================================================

Re: [Sqlgrey-users] whitelist question

[Dan F. <da...@ha...>]

Michael Storz wrote:
> On Fri, 16 Feb 2007, John Smith wrote:
>
> *.ro only works for whitelisting if an ip address has a reverse mapping
> and the nameservers can be reached and answer in time.
>   

Also, there is no guarantee that everyone from  your country reverses to 
.ro. You might have a big isp reversing to something like TeleRomania.com.

I use discrimination. Not for this excact problem, but i do filter based 
on tld's from well known spamming countries, especially from Asia. Also 
i filter everyone who does not have a reverse-dns-record.
Many mailservers in the world simply reject mail from you if you do not 
have reverse-dns, so i recon that greylisting them on my servers for not 
having that record is more than fair treatment.

It would be possible to make:
client_name !~ \.ro$
Basically same result as with the whitelist, however you would still 
benefit from other regex's to ie. catch dsl lines and such.

It can quickly gets a bit more hairy than the whitelist. Imagine you 
wanted to pass both .ro and teleromania.com and still catch everything 
called dsl, proxy and such. (just as an example)
client_name !~ (\.ro|teleromania\.com)$
client_name =~ (dsl|proxy|dailup)

But again. It all falls back to the dns-server actually answering.


Another thought would be to build in support for geoip lookups. However 
that might be really really heavy to do in high-traffic environments, 
but it should definitely be doable.


- Dan