Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] ldap support

2005-11-14 by Ken Serrine

On Fri, Nov 11, 2005 at 02:47:27PM -0600, Ken Serrine wrote:

>To be flexible, this would all be more complicated, of course.  We would
>want to minimize the number of LDAP lookups, I think.  So, to cover all
>combinations of ACLs, I think we'd need options to determine if we just
>wanted "rcpt", or "domain", etc.
>In my case, if I only cared about "rcpt", then I wouldn't want the
>milter doing lookups for "domain", "from", etc.
>
On Sat, 12 Nov 2005, Emmanuel Dreyfus wrote:

>It seems a pity to left the ability for users to greylist everything but
>some DNS domains, IP block or sender combinaison. I can understand you
>don't want to implement it now because it is of no interest for you yet,
>but it would be good to decide of a LDAP directory structure that will
>fit the complicated setup later.
>I'm not knwoledgable in LDAP, so I cannot be of a lot of help. Is it
>possible to query LDAP to retreive a whole branch of the tree? If it is
>then we could fetch a set of ACL stored for a recipient.
>  
>
Ken wrote:

Yes, I agree having a structure in place up front would be the thing to do.
One wouldn't want to retrieve a whole branch because of the 
inefficiency, but more complex queries should be allowed.
In my example, if I was just interested in the recipient, I wouldn't 
want the LDAP servers or the code to do unecessary work.  That isn't to 
say that someone else wouldn't have that need.
So, my query may just be (rcpt=whatever@...), but others may 
need (&(addr=10.0.0.1)(from=pat@...)(rcpt=chris@...)).
But, if one mixes these two into the same directory, then we have to 
account for a whole new level of logic.
I will try to explain better by comparing to the current greylist.conf 
logic.
First, the greylist.conf depends on order.  So, the first match wins.  
There will be no order in LDAP.  Multiple results could be returned for 
a query, and although there is a sort ability in LDAP, I wouldn't think 
we would want ASCII or alphabetical order to determine priority.

So, using greylist.conf, there could be the following entries (not 
necessarily in this order):
acl whitelist domain example.net rcpt pat@...
acl greylist domain example.net
acl whitelist addr 10.0.0.2            # assume that's the IP for 
example.net

Using LDAP, we'd have to have the logic to form a complex query or the 
logic to perform multiple queries and also interpret the results.  It's 
not that this can't be done, but I believe it to be too inefficient for 
a busy site.
The single query would look something like this:
(|((&(addr=10.0.0.2)(type=whitelist))(|(domain=example.net)(type=greylist))(&(domain=example.net)(rcpt=pat@...)(type=whitelist))))
And, remember, the results are not in any specific order, so we can't 
just say "first one wins".  So, we need to decide based on the results 
which rule gets priority.
I'm just trying to illustrate one small example.  I haven't even 
considered all the possible scenerios, but to encompass the needs of all 
greylist users, one can start to see the complexity.

Looking up a user's ACL based on his/her address is not a problem and is 
not complex, but adding the ability to do "from", "domain", and "addr" 
in combination with this will get quite complicated.

One possibility is to let one specify the priority of each type and if 
he/she wants it enabled.  So, for example, one could specify the order as:
addr
domain
from
rcpt
and, then determine if one wants to do each type,
addr (on/off)
domain (on/off)
from (on/off)
rcpt (on/off)

In this example, there would be a maximum of 4 lookups:
if (addr==on) then do ldap query (addr=w.x.y.z);
if ldap match, then perform action;
else if (domain==on) then do ldap query (domain=example.net);
if ldap match, then perform action;
else if (from==on) then do ldap query (from=test@...);
if ldap match, then perform action;
else if (rcpt==on) then do ldap query (rcpt=test@...);
if ldap match, then perform action;

But, this still doesn't account for the cases of combinations such as
acl whitelist from pat@... rcpt pat@...

Dan Hollis wrote:

>I think something more flexible would be to integrate lua support, so 
>people can easily script support for mysql/ldap/abcxyz, with their own 
>special site-specific rulesets. They can filter rcpt or domain or helo 
>or any complex combination they like.
>
>-Dan
>
>
>  
>
Ken wrote:

Lua looks interesting.  Are you thinking of an architecture where we can 
make our own "plug-ins"?

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.