Wietse Venema put forth on 8/23/2010 10:11 AM:
> Noel Jones:
> (Might be time to revisit DNS whitelists in
>> postfix.)
>
> Maybe someone can draft a strawman user interface:
>
> - what is the configuration syntax
>
> - what does that syntax mean
>
> - how to make it safe ( we don't want "open relay" problems)
>
> I'm currently doing this for postscreen, and won't have time for
> other Postfix features.
accept_dnswl_client (default: 0)
0 - accept all messages
1 - accept messages with trust level 1-3
2 - accept messages with trust level 2-3
3 - accept messages with trust level 3
Trust level is a numerical 0-3 value returned as the last octet of the
127.0.x.x address, see below. The third octet is more informational
than actionable, and IMO would simply add unnecessary complexity if used
to determine deliverability. Decisions should be based solely on the
last octet data, the "trust" level.
I assume postscreen processes or passes this data to smtpd in a way that
smtpd will automatically bypass all checks normally performed during the
CONNECT phase.
Below is how dnswl.org does dns based whitelisting. Other dns whitelist
operators may use a different standard, or no standard--I've not
investigated the few others at this point. AFAIK dnswl.org is the most
popular, and was the original dns whitelist operator.
=======================================================================
How to query DNSWL
The query must always go to the zone "list.dnswl.org" in standard DNSBL
format, ie with a reversed dotted quad IP address. To query whether the
IP address "1.2.3.4" is listed, the query would thus be
4.3.2.1.list.dnswl.org
The list contains the standard test entry of 127.0.0.2, which you can
also test manually
matthias:~ > host 2.0.0.127.list.dnswl.org
2.0.0.127.list.dnswl.org has address 127.0.10.0
Return codes
The return codes are structured as 127.0.x.y, with "x" indicating the
category of an entry and "y" indicating how trustworthy an entry has
been judged.
Categories (127.0.X.y):
* 2 - Financial services
* 3 - Email Service Providers
* 4 - Organisations (both for-profit [ie companies] and non-profit)
* 5 - Service/network providers
* 6 - Personal/private servers
* 7 - Travel/leisure industry
* 8 - Public sector/governments
* 9 - Media and Tech companies
* 10 - some special cases
* 11 - Education, academic
* 12 - Healthcare
* 13 - Manufacturing/Industrial
* 14 - Retail/Wholesale/Services
* 15 - Email Marketing Providers
Trustworthiness / Score (127.0.x.Y):
* 0 = none - only avoid outright blocking (eg Hotmail, Yahoo
mailservers, -0.1)
* 1 = low - reduce chance of false positives (-1.0)
* 2 = medium - make sure to avoid false positives but allow override
for clear cases (-10.0)
* 3 = high - avoid override (-100.0).
The scores in parantheses are typical SpamAssassin scores
--
Stan
