On Fri, Apr 12, 2013 at 04:39:29AM -0500, Stan Hoeppner wrote
Re: scripting a list of Google outbound CIDRs:
> This seems quite a bit less effort than Wietse adding the feature
> you requested. The end result is nearly identical, at least for
> the Google case, and can easily be extended to cover other domains.
I did think of this, and yes, it would save us the pain which seems
to hit every 30 days, as the after-220 tests for gmail expire. But
extending it to cover other domains would not scale well. Which
domains? What's the structure of their SPF records?
When you "easily extend" this idea it becomes much more onerous. And
still sitting out there are those unused DNSWL scores.
Yes, unused. As it stands I could drop those checks from my config
without noticing a change. There is very little overlap between the
DNSWLs (I currently use SWL and dnswl.org) and reasonable, well-run
DNSBLs. In my experience a few of the spamtrap-driven automated
DNSBLs occasionally list a dnswl.org whitelisted host, but I don't
recall having seen an instance where whitelisting prevented a
rejection. And I have never found a blacklist entry for the (much
smaller, I think) SWL zone.
A DNSWL entry says two things:
1. This is a real MTA, not a zombie
2. At one point someone trustworthy thought it was not
spammer-controlled
Case 1 mostly entitles it to speak to smtpd, unless of course
offsetting DNSBL scores overcome the whitelist score. By continuing
on to check DNSBLs, Case 2 is addressed.
I believe that DNS-based whitelisting will grow in importance,
especially in the IPv6 world. I expect to move into IPv6 with a
default-deny policy, where non-whitelisted hosts are rejected.
> And with this method the Google outbounds skip all Postscreen
> processing entirely, not just the after 220 tests.
I wouldn't want that. :) If one of these providers is seriously
compromised, they'll be blacklisted, and I would want to check for
that. I don't give Google my absolute trust. I think they may have
improved, but I know they're not infallible.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
