Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] ldap support

2005-11-11 by Ken Serrine

Emmanuel Dreyfus wrote:

>On Wed, Nov 09, 2005 at 10:53:37AM -0600, Ken Serrine wrote:
>  
>
>>Then, eventually, I will allow my users to administer themselves; ie, 
>>whitelisting, not being on the greylist, etc., which means I have to use 
>>LDAP, or some other backend like SQL.  Since I already use LDAP for all 
>>my mail routing and whitelisting controls, it is the natural fit.
>>    
>>
>
>Do we want the complete ACL to be pulled from an external back-end? Or
>do we want to mix file-based ACL and an ACL from an external source?
>
>How would the ACL be stored in LDAP?
>  
>
Ken wrote:
I need to get some time to study the code, but my initial thoughts are 
to have a mix.  So, either or both would be an option.
For the ACL storage, I'm sure it's best to be flexible.  Some may want a 
separate branch, but others may want to just add attributes to existing 
branches.
So, there should probably be additional config options to specify 
exactly what to look up in ldap.
My immediate goals are to let the users choose to be greylisted or not.
Of course, to be useful, the LDAP features would have to be much more 
flexible.

An example for "acl whitelist rcpt nobody@..." would be to add 
the following to the conf file:

LDAPServers      ldap1.abc.example.net   ldap2.abc.example.net   
ldap3.abc.example.net
LDAPBase          ou=greyacl,dc=example,dc=net
LDAPACLKey   mail
LDAPACLAction  action
LDAPACLType     type

so, for example, the equivalent command line query to the greylist 
milter query would be:
 ldapsearch -b "ou=greyacl,dc=example,dc=net" 
"(mail=nobody@...)" action type
The return values would be "action=whitelist" and "type=rcpt", or if the 
recipient wants to be greylisted, then either no record would be found 
or "action=greylist" would be returned.

To be flexible, this would all be more complicated, of course.  We would 
want to minimize the number of LDAP lookups, I think.  So, to cover all 
combinations of ACLs, I think we'd need options to determine if we just 
wanted "rcpt", or "domain", etc. 
In my case, if I only cared about "rcpt", then I wouldn't want the 
milter doing lookups for "domain", "from", etc.
In other words, I wouldn't want all the lookups that are currently 
happening in memory to have to occur across the network to the LDAP 
servers.  If the LDAP server was running on the same box as sendmail, it 
may not be as bad, but mine aren't.  And, I already have over 800 
million hits per day, so any unnecessary lookups would not be appreciated.

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.