On 8/25/2010 4:54 PM, Noel Jones wrote:
On 8/25/2010 4:27 PM, Wietse Venema wrote:
Noel Jones:
Do we want to allow mixing DNSWLs and DNSBLs in one list?
I see them as being the same thing; just different weights.
Default to blacklist weight of 1; the user must specify a
negative weight for a whitelist.
I've changed my mind on this. While might make sense to
combine dnsbl & dnswl in one list, the problem comes up if we
ever implement rhsXl because the hostname requirements are
different. With an rhsbl, you want the unverified reverse
name; with an rhswl, you need the FCrDNS standard postfix
hostname.
Separating the lists also allows us to use whitelist and
blacklist default weight values, reducing configuration burden.
Matthias Leisi wrote:
What about wildcarding? dnswl.org currently returns 127.0.n.[0-3],
with "n" being numerical for the category (eg banks etc). People may
want to have something like "whitelist on 127.0.*.2 and 127.0.*.3".
This looks like a useful concept. If we use "*" as an octet
wildcard, we'll need to use something else as the weight
modifier. dnsbl_site=127.0.*.3w1 seems reasonable.
So, the modified proposal for postscreen would be:
- postscreen_dnsbl_sites (default empty); A comma separated
list of dnsbl IP blacklist sites with optional result filter
and optional weight. Specify one or more dnsbl sites as:
dnsbl_site[=d.d.d.d][wN]
where dnsbl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. Wildcard
octets in the result filter can be indicated with "*". If no
result filter is given, any result is considered a match. The
weight is given as the letter "w" followed by a value in the
range [-99~+99] inclusive. If "+" or "-" is not specified,
"+" is assumed. If no weight is given, the default weight
value is +1.
Examples:
postscreen_dnsbl_sites =
dnsbl_site1
dnsbl_site2=127.0.*.2w5
dnsbl_site3=w+6
- postscreen_dnswl_sites (default empty); A comma separated
list of dnswl IP whitelist sites with optional result filter
and optional weight. Specify one or more dnswl sites as:
dnswl_site[=d.d.d.d][wN]
where dnswl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. Wildcard
octets in result filter can be indicated with "*". If no
result filter is given, any result is considered a match. The
weight is given as the letter "w" followed by a value in the
range [-99~+99] inclusive. If "+" or "-" is not specified,
"-" is assumed. If no weight is given, the default weight
value is -1.
Examples:
postscreen_dnswl_sites =
dnswl_site1
dnswl_site2=127.0.*.2w5
dnswl_site3=w-6
(next two items are for future expansion if hostnames are
available)
(name tweaks? postscreen_dnsbl_hostname_sites and
postscreen_dnswl_hostname_sites so one can grep all related
parameters with postscreen_dns*?)
- postscreen_rhsbl_sites (default empty); A comma separated
list of rhsbl hostname blacklist sites using the unverified
client hostname with optional result filter and optional
weight. Specify one or more rhsbl sites as:
rhsbl_site[=d.d.d.d][wN]
where rhsbl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. Wildcard
octets in the result filter can be indicated with "*". If no
result filter is given, any result is considered a match. The
weight is given as the letter "w" followed by a value in the
range [-99~+99] inclusive. If "+" or "-" is not specified,
"+" is assumed. If no weight is given, the default weight
value is +1.
Examples:
postscreen_rhsbl_sites =
rhsbl_site1
rhsbl_site2=127.0.*.2w5
rhsbl_site3=w+6
- postscreen_rhswl_sites (default empty); A comma separated
list of rhswl hostname whitelist sites using the client
hostname with optional result filter and optional weight.
Specify one or more rhswl sites as:
rhswl_site[=d.d.d.d][wN]
where rhswl_site is the site name, d.d.d.d is the optional
result filter, and N is the optional weight value. Wildcard
octets in the result filter can be indicated with "*". If no
result filter is given, any result is considered a match. The
weight is specified as the letter "w" followed by a value in
the range [-99~+99] inclusive. If "+" or "-" is not
specified, "-" is assumed. If no weight is given, the default
weight value is -1.
Examples:
postscreen_rhsbl_sites =
rhswl_site1
rhswl_site2=127.0.*.2w5
rhswl_site3=w-6
(below is unchanged except for the name change to *_dnsxl_*)
- postscreen_dnsxl_whitelist_score (default=-1); a "pass"
threshold score. clients scoring at or BELOW this value
trigger the postscreen_dnsxl_whitelist_action.
- postscreen_dnsxl_blacklist_score (default=1) a "drop"
threshold score. Clients scoring at or ABOVE this value
trigger the postscreen_dnsxl_blacklist_action.
- postscreen_dnsxl_whitelist_action (default continue); the
action postscreen takes when a client matches the
postscreen_dnsxl_whitelist_score. Specify one of:
continue; perform additional postscreen tests to determine
disposition.
pass; exempt the client from further postscreen tests and pass
it to a real SMTP server process
- postscreen_dnsxl_blacklist_action (default continue); the
action postscreen takes when a client exceeds the
postscreen_dnsxl_blacklist_score. Specify one of:
continue; perform additional postscreen tests to determine
disposition.
drop; drop the connection with a 521 SMTP reply
-- Noel Jones
