I need to use dns blacklisting on incoming email. Spamd caused
a user revolt because of its unpredictable delay.
smtpd maintainers have more urgent projects than working
on filter-dnsbl.
What I'd like to do is:
in pf.conf
pass in on ingress from <whitelist> to any port smtp
pass in on ingress from <blacklist> to any port smtp \
divert-to [spamd-port]
pass in on ingress from <retrylist> to any port smtp \
#insert proper action here = pass on or send to spamd
pass in from any to any port smtp divert-packet 9999 \
no-state
in dnsbld:
bind to divert socket 9999
parallel loop:
receive syn packet for smtp connection
initiate dnsbl lookup
good reply: insert address into <whitelist>
bad reply: insert address into <blacklist>
timeout: insert address into <retrylist>
reinject syn packet
in dnsbld-cleaner:
maintain lists of expiry times and remove entries
from the pf tables appropriately
What I'd like to happen is that the first syn packet will go
to dnsbld. By inserting entries into pf tables, when the syn
is finally reinjected or retry syn packets arrive, they will
match a table thus creating a state
.
Subsequent packets of that connection wouldn't go to the divert
socket. dnsbld should only see syn packets, usually only one
if the dns lookup is quick.
What I don't want to do is interpose dnsbld for the entire
smtp connection.
Is this likely to work? My reading of the code suggests it
should but pf is pretty intricate. I don't know if the pf
rule optimizer would rearrange things detrimentally.
thanks
Geoff Steckel
