Loading ...
Sorry, an error occurred while loading the content.

RE: selective greylisting?

Expand Messages
  • Julian Pawlowski (lists)
    Hello Folkert, ... Yes. Eather use the function included with sqlgrey or if you want postfix to handle it have a look to check_client_access (if you want it
    Message 1 of 38 , Nov 1, 2006
    View Source
    • 0 Attachment
      Hello Folkert,

      Folkert van Heusden wrote:
      > Would it be possible to do selective greylisting triggered by
      > an rbl-list?

      Yes. Eather use the function included with sqlgrey or if you want postfix to handle it have a look to check_client_access (if you want it per smtp-client host), check_recipient_access (if you want it per recipient) and check_sender_access (if you want it per sender).

      http://www.postfix.org/postconf.5.html#check_client_access
      http://www.postfix.org/postconf.5.html#check_sender_access
      http://www.postfix.org/postconf.5.html#check_recipient_access

      I use the following:

      smtpd_recipient_restrictions =
      ...
      check_client_access mysql:$config_directory/maps/client_access.mysql
      check_client_access pcre:/etc/postfix/rules/dialups.pcre
      ...
      check_recipient_access mysql:$config_directory/maps/recipient_greylist.mysql
      permit

      Additionally you have to define a new restriction class:

      smtpd_restriction_classes = check_greylist
      check_greylist = check_policy_service inet:127.0.0.1:2501

      After it you can define the corresponding entries in your lookup tables für check_*_access and forward it to check_greylist as destination.

      My dialups.pcre includes the following:

      ----------------------------
      # well-known names do not need to be greylisted (one line!)
      /^(.+[._-])*(apache|bounce|bulk|delay|d?ns|external|extranet|filter|firewall|forward|gateway|gw|m?liste?s?|(bulk|dead|mass|send|[eqw])?mail(er)?|e?mail(agent|host|hub|scan(ner)?)|messagerie|mta|v?mx|out(bound)?|pop|postfix|w?proxy|rela(is|y)|serveu?r|smarthost|vsmtp|web|www)(gate|mail|mx|pool|out|server)?[0-9]*[._-]/ DUNNO

      # everything with 4 or more dots/hyphens in the hostname
      /(\-.+){4}$/ check_greylist
      /(\..+){4}$/ check_greylist

      # every host with no reverse DNS
      /unknown/ check_greylist

      # grelist hosts with potential dynamic IP character in reverse DNS
      # stolen from http://sqlgrey.bouton.name/dyn_fqdn.regexp (one line!)
      /(^|[0-9.x_-])(abo|br(e|oa)dband|cabel|(hk)?cablep?|catv|cbl|cidr|d?client2?|cust(omer)?s?|dhcp|dial?(in|up)?|d[iu]p|[asx]?dsld?|dyn(a(dsl|mic)?)?|home|in-addr|modem(cable)?|(di)?pool|pppool|ppp|ptr|rev|static|user|YahooBB[0-9]{12}|c[[:alnum:]]{6,}(\.[a-z]{3})?\.virtua|[1-9]Cust[0-9]+|AC[A-Z][0-9A-F]{5}\.ipt|pcp[0-9]{6,}pcs|S0106[[:alnum:]]{12,}\.[a-z]{2})[0-9.x_-]/ check_greylist
      ----------------------------

      Greetz,
      Julian
    • Mark Martinec
      mouss, ... Not sure what you are trying to say here. p0f has nothing to do with DNS, it just passively examines packets of normal SMTP sessions, just like
      Message 38 of 38 , Nov 10, 2006
      View Source
      • 0 Attachment
        mouss,
        > Cami's policyd is "asynchronous", so needs an asynchronous resolver.
        > There aren't much async resolver implementations out there, and the
        > available ones haven't been used enough. also, people are used to their
        > system resolver (integration with nsswitch and the like)...

        Not sure what you are trying to say here.

        p0f has nothing to do with DNS, it just passively examines packets
        of normal SMTP sessions, just like tcpdump, trying to guess what
        type of network stack is running on remote side.

        Mark
      Your message has been successfully submitted and would be delivered to recipients shortly.