Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] [RFC] Recipient settings through LDAP?

2006-11-22 by Christian PELISSIER

Le mar 21/11/2006 à 17:50, Emmanuel Dreyfus a écrit :
> Hi
> 
> I user per-recipient settings, where each user can choose the level of
> tiltering: nothing, greylisting for 15 minutes, using DNSRBL, and so
> on.
> 
> For now, users ask for various filtering levels, and the
> milter-greylist
> configuration file is modified to satisfy their requests. 
> 
> It would be better to pull the per-recipient info from a centralized 
> database that users could modify on their own: it would save admin
> time.
> 
> LDAP seems a good candidate for the database.
> 
> Are there some experienced LDAP users here? How would you fit the
> filtering level attribute in the database? How do you imagine the 
> config file syntax to specify the use of the LDAP directory?
> 
> I imagine something like this:
> ldap "ldap1" "ldaps://ldap.example.net" "mail=%s,dc=example,dc=net" \
> "cn=user,dc=example,dc=net" "greylist_level" "level 1" \
> "/etc/mail/greylist.crt" "/etc/mail/greylist.key"
> 
> acl greylist rcpt_ldap "ldap1" greylist 15m
> acl whitelist default
> 
> With ldap statement arguments being:
> "ldap1" name of the config referenced later in the file
> "ldaps://ldap.example.net" URI of the server
> "mail=%s,dc=example,dc=net" filter, %s is replaced by rcpt e-mail.
> "cn=user,dc=example,dc=net" name used for connecting to the server
> "greylist_level" the attribute to look up
> "level 1" the value we look for a match
> "/etc/mail/greylist.crt" certificate (optional)
> "/etc/mail/greylist.key" key (optionnal)
> 
> But that looks a bit overkill (well, I assume it can't be otherwise
> with
> LDAP)...

If you choose LDAP you have to write your own LDAP schema adding milter
greylist required fields. Then you have to write a GUI allowing LDAP
users to modify the milter-greylist fields. You must define LDAP ACLs
that allow that. It's probably a good solution for a big site having an
LDAP server but it needs users to have a GUI.


> 
> Or are there other good ways of handling the issue?
>
The simple way to allow users to interact with some milter-greylist
parameters is  a web interface (form/cgi or php) running on the mail
server to add/delete their own ACL in a separate conf file (eg
greyusracls.conf). You also have to authentify them and the best for
that is to have an LDAP server .... So LDAP seems to be the right choice
but it's heavy for admin and milter-greylist.

> 
> -- 
> Emmanuel Dreyfus
> manu@...
> 
> 
> 
>  
-- 
Christian Pélissier
Office National d'Études et de Recherches Aérospatiales
BP 72 92322 Chatillon
Tel: 33 1 46 73 44 19, Fax: 33 1 46 73 41 50

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.