From: Wietse Venema on
Wietse Venema:
> Erik Logtenberg:
> >
> > >> However in the case where the whitelist is (completely) unavailable for
> > >> some period of time, I still think that my suggestion applies, don't you
> > >> agree?
> > >
> > > No. It is assumed that you use a sufficiently reliable DNSWL. Ideally
> > > a local mirror, and if it becomes unavailable you use appropriate
> > > administrative intervention.
> >
> > Lol...
> >
> > My statement is:
> > "A implies B"
> >
> > and you respond with: No, because:
> > "not A"
> >
> > Logically, even if "not A" is the case, then still you haven't denied
> > the given implication. In fact in the strictest sense you even affirmed
> > it, because "not A" implies "A implies B", since false implies everything.
>
> It is a mistake to REJECT mail because a DNS whitelist server is down.
> Instead, the safe action is DEFER_IF_PERMIT.

Argh. DEFER_IF_REJECT (we must not reject this mail because we don't know
if it should have been whitelisted).

Wietse

From: Noel Jones on
On 3/15/2010 6:26 PM, Erik Logtenberg wrote:

> This whitelist is 1409 records long, so indeed as you say very small. I
> suppose I could download it and host it locally. Apparently AXFR is not
> allowed, but plain text HTTP download is, so that's good enough.
> Then I would only need an efficient and robust way for postfix to use it.

If they let you download a list of IPs, just use your favorite
sed/awk/perl to change it into an access table.

-- Noel Jones

From: Stefan Foerster on
* Wietse Venema <wietse(a)porcupine.org>:
> Erik Logtenberg:
> > Wietse, is there a reason why you would not want a permit_rbl_client
> > feature in postfix? If not, then I would like to hereby suggest this
> > feature request.
> > If you would approve the feature request but don't have the time and/or
> > other incentive to implement it, I'd gladly try to submit a patch.
>
> I understand what needs to happen when the DNS server replies that
> the client is or is not listed, though I don't know if there is
> any convention for positive whitelist replies.
>
> What is supposed to happen in the absence of a valid DNS reply?
> Is there a difference between SERVAIL, timeout, and so on?
> I don't want to be swamped with bug reports that "postfix
> has buggy access control".

Unfortunately, RFC 5782 isn't helpful for answering those questions.


Stefan

From: "Jan P. Kessler" on

>> This whitelist is 1409 records long, so indeed as you say very small. I
>> suppose I could download it and host it locally. Apparently AXFR is not
>> allowed, but plain text HTTP download is, so that's good enough.
>> Then I would only need an efficient and robust way for postfix to use
>> it.
>
> If they let you download a list of IPs, just use your favorite
> sed/awk/perl to change it into an access table.

The question is: Will this be really more reliable than using a policy
service that simply queries dns for this task?

From: Erik Logtenberg on
>>> This whitelist is 1409 records long, so indeed as you say very small. I
>>> suppose I could download it and host it locally. Apparently AXFR is not
>>> allowed, but plain text HTTP download is, so that's good enough.
>>> Then I would only need an efficient and robust way for postfix to use
>>> it.
>>
>> If they let you download a list of IPs, just use your favorite
>> sed/awk/perl to change it into an access table.
>
> The question is: Will this be really more reliable than using a policy
> service that simply queries dns for this task?

By the way, in the mean time I followed the advice given by Stan
Hoeppner and Noel Jones and made a daily cronjob which wget's the
blacklist, puts some OK's in there and then postmaps the list to a hash
map, which is then used with a check_client_access rule in
smtpd_recipient_restrictions.

This works okay, and fairly reliable, because I added a couple of sanity
checks before actually switching over to the new whitelist. If some
sanity check fails (for instance the number of IP's is outside a sane
range or if postmap chockes on it), then the cronjob will just keep the
current whitelist in place.