Re: whitelisting X DSL (dynamic IP)s
Hi, Thanks for the tip on using submission, SSL or TLS ports. That solves many of my problems. But I still think that dynmically allocated IPs should be treated somehow differently by SPAMD greylisting process. My point is that if a remote SMTP server goes through the greylisting process and ends up getting its IP address whitelisted, that should not be inherited by the next owner of that IP address. I know it may be difficult (if not impossible) to identify whether an IP address is part of an address poll of some DSL or cable provider (maybe there is a list kept somewhere in the world of such ranges). I know for sure one these ranges here in Brazil. And I see a hell of a lot of spam passing through SPAMD, just because some of these IP addresses got whitelisted by an earlier well-behaved temporary owner. So I would like to know if someone has come up with an interesting idea on dealing this issue. Best regards, Jose -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com
Re: : whitelisting X DSL (dynamic IP)s
On Fri, Oct 17, 2008 at 08:25:40AM -0300, Jose Fragoso wrote: Hi, Thanks for the tip on using submission, SSL or TLS ports. That solves many of my problems. But I still think that dynmically allocated IPs should be treated somehow differently by SPAMD greylisting process. My point is that if a remote SMTP server goes through the greylisting process and ends up getting its IP address whitelisted, that should not be inherited by the next owner of that IP address. I know it may be difficult (if not impossible) to identify whether an IP address is part of an address poll of some DSL or cable provider (maybe there is a list kept somewhere in the world of such ranges). I know for sure one these ranges here in Brazil. And I see a hell of a lot of spam passing through SPAMD, just because some of these IP addresses got whitelisted by an earlier well-behaved temporary owner. So I would like to know if someone has come up with an interesting idea on dealing this issue. This, alas, I'd say violates the basic assumptions for greytrapping. A bit. Most of the times at least here in Sweden, you get the same IP address every time. It is only when the ISP has to it gives you a new. And shortening the invalidation time for greytrapped addresses would essentially force the SMTP clients to pass greytrapping every time. My ISP does not allow outgoing SMTP from clients so I have to use their mail hub. That is also a solution, especially when combined with SPF (Server Policy Framework), provided MTAs use it. But it is not a solution at your end, it is a would be global solution. Maybe pf OS fingerprinting can pinpoint XP and Vista machines and tarpit mail from them. Or are there serious SMTP clients on those platforms? Best regards, Jose -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
whitelisting X DSL (dynamic IP)s
Hi, I am planning to setup a network with a OpenBSD/SPAMD firewall, and an internal POSTFIX server with SASL SMTP AUTH. While think about it, I realized that I have a problem here. Whenever a mobile user wants to send mail (relaying) through the POSTFIX server, he will have to go through the greylist process. I can tell my users to try at least 3 times ( in a period of 30 minutes) to send email messages every time they change IP address. But then, I will end up with a bunch of whitelisted dynamically allocated IPs by various ISPs. So my question is: what is the best way to deal with this kind of situation. Should I reduce the value of whiteexp ? Has anybody thought of way of cleaning such road-warrior addresses on a daily basis ? To be fare, these address should not stay in the whitelist for long, since they change hands quite often!! Any comments, suggestion, links would be appreciated. Best regards, Jose -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com
Re: whitelisting X DSL (dynamic IP)s
On Oct 16, 2008, at 1:59 PM, Jose Fragoso wrote: So my question is: what is the best way to deal with this kind of situation. Should I reduce the value of whiteexp ? Has anybody thought of way of cleaning such road-warrior addresses on a daily basis ? To be fare, these address should not stay in the whitelist for long, since they change hands quite often!! Use SMTP-AUTH on an alternate port, say submission (port 587) and require SASL on top of that. There are literally hundreds of howtos and docs on doing this with Sendmail and Postfix. It should solve all your issues with greylisting on port 25.
Re: whitelisting X DSL (dynamic IP)s
Jose Fragoso wrote: Hi, I am planning to setup a network with a OpenBSD/SPAMD firewall, and an internal POSTFIX server with SASL SMTP AUTH. While think about it, I realized that I have a problem here. Whenever a mobile user wants to send mail (relaying) through the POSTFIX server, he will have to go through the greylist process. I can tell my users to try at least 3 times ( in a period of 30 minutes) to send email messages every time they change IP address. But then, I will end up with a bunch of whitelisted dynamically allocated IPs by various ISPs. So my question is: what is the best way to deal with this kind of situation. Should I reduce the value of whiteexp ? Has anybody thought of way of cleaning such road-warrior addresses on a daily basis ? To be fare, these address should not stay in the whitelist for long, since they change hands quite often!! Any comments, suggestion, links would be appreciated. Best regards, Jose I do this with qmail. You need another smtp server listening on another port for relaying mail. 587 is the smtp submission port, 465 is the SSL-wrapped port. Once your relay users authenticate, you can relay out and skip talking to your own port 25 smtp daemon. I run TLS on port 587, and SSL on 465. Jeff