Noel Jones wrote in late August 2010:
> B) a "permit" based system, a mirror of reject_rbl_client.
>
> This would have a user interface similar to the existing
> reject_rbl_client with expected usage similar to access(5)
> based whitelists.
>
> Seems to me that checks using sender-supplied info such as
> {helo, sender domain, recipient domain} are unsafe -- give
> whitelist control to unverified information -- and probably
> shouldn't be implemented.
>
> To prevent open-relay accidents, this would need to return
> permit_auth_destination rather than a blanket permit. Maybe
> the result action will need to be configurable? Nah.
>
> The user interface would be familiar to anyone using rbl
> checks. Sample documentation under the appropriate
> smtpd_mumble_restrictions section:
>
> - permit_dnswl_client dnswl_domain=d.d.d.d
> Accept the request when the reversed client IP network
> address is listed with an A record of d.d.d.d under
> dnswl_domain. If no =d.d.d.d is given, accept the request
> with any A record under dnswl_domain. For safety, only
> authorized destinations are accepted, see permit_auth_destination.
>
> - permit_rhswl_client rhswl_domain=d.d.d.d
> Accept the request when the client hostname is listed with
> an A record of d.d.d.d under rhswl_domain. If no =d.d.d.d is
> given, accept the request with any A record under
> rhswl_domain. For safety, only authorized destinations are
> accepted, see permit_auth_destination.
>
> Seems like this one would be very easy to use, and fairly easy
> to implement.
This is now implemented with minor changes. Mainly, the discussion
about permit_auth_destination had to be replaced, since that is
not applicable in smtpd_{client,helo,sender}_restrictions context.
I also added a DEFER_IF_REJECT result in case of DNS failure.
The current manpage text reads:
reject_rbl_client rbl_domain=d.d.d.d
...
permit_dnswl_client dnswl_domain=d.d.d.d
Accept the request when the reversed client network address is
listed with the A record "d.d.d.d" under dnswl_domain. If no
"=d.d.d.d" is specified, accept the request when the reversed
client network address is listed with any A record under
dnswl_domain.
For safety, permit_dnswl_client is silently ignored when it
would override reject_unauth_destination. The result is
DEFER_IF_REJECT when whitelist lookup fails. This feature is
available in Postfix 2.8 and later.
...
reject_rhsbl_client rbl_domain=d.d.d.d
...
permit_rhswl_client rhswl_domain=d.d.d.d
Accept the request when the client hostname is listed with the A
record "d.d.d.d" under rhswl_domain. If no "=d.d.d.d" is speci-
fied, accept the request when the client hostname is listed with
any A record under rhswl_domain.
For safety, permit_rhswl_client is silently ignored when it
would override reject_unauth_destination. The result is
DEFER_IF_REJECT when whitelist lookup fails. This feature is
available in Postfix 2.8 and later.
The safety check literally triggers when permit_dns/rhswl_client
is invoked inside smtpd_recipient_restrictions with a recipient
that would be blocked by reject_unauth_destination.
The above primitives are easily generalized to the unverified reverse
client, helo and sender, but it would seem unwise.
Wietse
