Loading ...
Sorry, an error occurred while loading the content.

292540Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

Expand Messages
  • /dev/rob0
    Apr 12, 2013
      On Fri, Apr 12, 2013 at 04:39:29AM -0500, Stan Hoeppner wrote
      Re: scripting a list of Google outbound CIDRs:
      > This seems quite a bit less effort than Wietse adding the feature
      > you requested. The end result is nearly identical, at least for
      > the Google case, and can easily be extended to cover other domains.

      I did think of this, and yes, it would save us the pain which seems
      to hit every 30 days, as the after-220 tests for gmail expire. But
      extending it to cover other domains would not scale well. Which
      domains? What's the structure of their SPF records?

      When you "easily extend" this idea it becomes much more onerous. And
      still sitting out there are those unused DNSWL scores.

      Yes, unused. As it stands I could drop those checks from my config
      without noticing a change. There is very little overlap between the
      DNSWLs (I currently use SWL and dnswl.org) and reasonable, well-run
      DNSBLs. In my experience a few of the spamtrap-driven automated
      DNSBLs occasionally list a dnswl.org whitelisted host, but I don't
      recall having seen an instance where whitelisting prevented a
      rejection. And I have never found a blacklist entry for the (much
      smaller, I think) SWL zone.

      A DNSWL entry says two things:
      1. This is a real MTA, not a zombie
      2. At one point someone trustworthy thought it was not

      Case 1 mostly entitles it to speak to smtpd, unless of course
      offsetting DNSBL scores overcome the whitelist score. By continuing
      on to check DNSBLs, Case 2 is addressed.

      I believe that DNS-based whitelisting will grow in importance,
      especially in the IPv6 world. I expect to move into IPv6 with a
      default-deny policy, where non-whitelisted hosts are rejected.

      > And with this method the Google outbounds skip all Postscreen
      > processing entirely, not just the after 220 tests.

      I wouldn't want that. :) If one of these providers is seriously
      compromised, they'll be blacklisted, and I would want to check for
      that. I don't give Google my absolute trust. I think they may have
      improved, but I know they're not infallible.
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 9 messages in this topic