Loading ...
Sorry, an error occurred while loading the content.

292781Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

Expand Messages
  • Wietse Venema
    Apr 23 5:05 PM
    • 0 Attachment
      On Fri, Apr 12, 2013 at 06:34:24AM -0400, Wietse Venema wrote:
      > /dev/rob0:
      > > I finally got around to my upgrade to 2.11-20130405 and was watching
      > > logs. A gmail message fell afoul of the after-220 tests; each time it
      > > came from a different host. Each one got a "PASS NEW" and of course
      > > the "450 4.3.2 Service currently unavailable" rejection.
      > >
      > > These gmail outbounds are all listed in list.dnswl.org as 127.0.5.1,
      > > and I give that a negative score in my postscreen_dnsbl_sites. So
      > > with no offsetting DNSBL scores, these hosts all got a subzero score.
      > > It would be nice if we could put those whitelist scores to work, and
      > > not have to maintain so big of a postscreen_access_list whitelist.
      >
      > Disabling tests based on DNSWL score would make sense (currently
      > they "disable" DNSBL tests only). Perhaps this needs a "disable"
      > flag in the postscreen cache.

      On second consideration, this can be done as follows:

      - One parameter with the (negative) postscreen_dnsbl_sites score
      that is needed to allow the client to skip tests.

      - One parameter with the names of tests that are skipped (using
      !name to exclude a name, and static:all to match everything).
      This may include "greet" to cancel a "greet wait" in progress.

      The procedure is: postscreen does a postscreen_dnsbl_sites query
      for the client IP address. If the score satifies the threshold in
      the first parameter, then all tests with a name that matches the
      second parameter will be skipped until the next postscreen_dnsbl_sites
      query for that client IP address (i.e. after postscreen_dnsbl_ttl).

      Wietse
    • Show all 9 messages in this topic