RBL whitelist?
in [Postfix]
|
From: Victor Duchovni on 15 Mar 2010 18:00 On Mon, Mar 15, 2010 at 10:57:11PM +0100, Erik Logtenberg wrote: > However in the case where the whitelist is (completely) unavailable for > some period of time, I still think that my suggestion applies, don't you > agree? No. It is assumed that you use a sufficiently reliable DNSWL. Ideally a local mirror, and if it becomes unavailable you use appropriate administrative intervention. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Erik Logtenberg on 15 Mar 2010 18:15 >> However in the case where the whitelist is (completely) unavailable for >> some period of time, I still think that my suggestion applies, don't you >> agree? > > No. It is assumed that you use a sufficiently reliable DNSWL. Ideally > a local mirror, and if it becomes unavailable you use appropriate > administrative intervention. Lol... My statement is: "A implies B" and you respond with: No, because: "not A" Logically, even if "not A" is the case, then still you haven't denied the given implication. In fact in the strictest sense you even affirmed it, because "not A" implies "A implies B", since false implies everything.
From: Stan Hoeppner on 15 Mar 2010 18:48 Erik Logtenberg put forth on 3/15/2010 11:16 AM: > Hi, > > Is there a possibility to use a DNS-based RBL whitelist in Postfix? In > The Netherlands we have an NL-Whitelist, which contains the IP's of all > major ISP's. By using this whitelist one can make sure that accidental > automatic blacklisting won't disrupt regular email traffic. > > I had something like a permit_rbl_client directive in mind, that could > be placed in smtpd_recipient_restrictions, right before the > reject_rbl_client lines. Apparently there is no permit_rbl_client at > this moment, is there any other way to achieve this? DNS white lists are usually very, very small, relatively, compared to DNS black lists. This is why most DNS based white list providers enable zone transfers, in turn enabling customers to download the entire white list, which is then queried locally. Once it's local the tempfail issue is non existent. This is why nearly all DNS white list implementations are handled this way. It increases reliability fundamentally. DNS whitelists need to be fundamentally more reliable than DNS blacklists. How many records are in the DNSWL you mention? 200? 2000? There are a few million records in the Spamhaus and SORBS lists. If they tempfail, mail still comes through, although other A/S measures get a whack at it. If a DNSWL tempfails, you have more than a desired level of complexity to deal with this situation properly. Thus, it is optimal to deal with a local copy of the whitelist. What is preventing you from grabbing a copy of this .nl whitelist and querying against it locally either as a map file or via an RBLDNSD setup? -- Stan
From: Wietse Venema on 15 Mar 2010 18:49 Erik Logtenberg: > > >> However in the case where the whitelist is (completely) unavailable for > >> some period of time, I still think that my suggestion applies, don't you > >> agree? > > > > No. It is assumed that you use a sufficiently reliable DNSWL. Ideally > > a local mirror, and if it becomes unavailable you use appropriate > > administrative intervention. > > Lol... > > My statement is: > "A implies B" > > and you respond with: No, because: > "not A" > > Logically, even if "not A" is the case, then still you haven't denied > the given implication. In fact in the strictest sense you even affirmed > it, because "not A" implies "A implies B", since false implies everything. It is a mistake to REJECT mail because a DNS whitelist server is down. Instead, the safe action is DEFER_IF_PERMIT. Wietse
From: Erik Logtenberg on 15 Mar 2010 19:26
On 03/15/2010 11:48 PM, Stan Hoeppner wrote: > Erik Logtenberg put forth on 3/15/2010 11:16 AM: >> Hi, >> >> Is there a possibility to use a DNS-based RBL whitelist in Postfix? In >> The Netherlands we have an NL-Whitelist, which contains the IP's of all >> major ISP's. By using this whitelist one can make sure that accidental >> automatic blacklisting won't disrupt regular email traffic. >> >> I had something like a permit_rbl_client directive in mind, that could >> be placed in smtpd_recipient_restrictions, right before the >> reject_rbl_client lines. Apparently there is no permit_rbl_client at >> this moment, is there any other way to achieve this? > > DNS white lists are usually very, very small, relatively, compared to DNS > black lists. This is why most DNS based white list providers enable zone > transfers, in turn enabling customers to download the entire white list, > which is then queried locally. Once it's local the tempfail issue is non > existent. This is why nearly all DNS white list implementations are handled > this way. It increases reliability fundamentally. DNS whitelists need to > be fundamentally more reliable than DNS blacklists. > > How many records are in the DNSWL you mention? 200? 2000? There are a few > million records in the Spamhaus and SORBS lists. If they tempfail, mail > still comes through, although other A/S measures get a whack at it. If a > DNSWL tempfails, you have more than a desired level of complexity to deal > with this situation properly. Thus, it is optimal to deal with a local copy > of the whitelist. > > What is preventing you from grabbing a copy of this .nl whitelist and > querying against it locally either as a map file or via an RBLDNSD setup? This whitelist is 1409 records long, so indeed as you say very small. I suppose I could download it and host it locally. Apparently AXFR is not allowed, but plain text HTTP download is, so that's good enough. Then I would only need an efficient and robust way for postfix to use it. |