Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Some features for future releases...

2007-12-15 by manu@netbsd.org

Benoit Branciard <benoit.branciard@...> wrote:

>       racl blacklist mx bad msg "invalid sender MX"
>       racl whitelist mx match

It seems we have various tests we want to perform against a domain's
MXes. Let's try to figure a configuration syntax general enough to avoid
the thing getting too messy.

Two ideas that need some feedback and improvement:

First idea:
Existing tests such as DNSRBL can be extended to work on various data:
sender IP, sender DNS, sender MX IP, sender MX DNS, and so on.

We could use format strings to help DNSRBL cover a larger range of
situations. We already have:
%i      sender IP address
%d      sender DNS address
%mf     sender e-mail domain
We could add:
%xi     MX IP address
%xd     MX DNS address
%n{}    a reversed dot-separated item. eg: if sender IP address is
10.1.2.3, %n{%i} gives you 3.2.1.10.
 
Then, DNSRBL definitions can be improved like this:
dnsrbl "foo" "%n{%i}.dnsrbl.example.com" 127.0.0.0/8

You'll note that this syntax accomodate the use of either DNSRBL or
RHSRBL, based on whatever you want: sender machine, MX, sender domain,
receiver domain.

Given that it would not work only for DNSRBL, perhaps it's time to
rename it (it would make config parsing a bit easier), and make it even
more general by allowing the DNS query type to be specified:
dnslookup "foo" "%n{%i}.dnsrbl.example.com" A 127.0.0.0/8

Problem to solve: for a given domain, MX is usually not unique. The %x
thing quickly tend to be difficult to define correctly. Suggestions
welcome.


Second idea:
Clauses are about matching a condition. We have different kind of tests,
with different syntaxes:
rcpt foo@...    variable, value 
rcptcount >= 2          variable, operator, value
dnsrbl "foo"            reference to a condition defined earlier.

Moreover, we have variables that can be set by the urlcheck clause
$foo >= 2

There is room for unifying a lot of things. instead of writing
rcpt foo@...
we could write
$rcpt == "foo@..."

Of course that looks heavier, but that opens the way for adding more
operators (== for exact match, =~ for regexp match, <= for substring
match), and we can think about adding functions and logical operators.

Example:
dns(dns(machine($rcpt), "MX"), "A") >= $addr

- $rcpt would be set up as the recipient e-mail by milter-greylist
- machine($rcpt) would be the machine part of $rcpt (after the @), that
is: the sender address domain
- dns(machine($rcpt), "MX") would give us the comma separated list of MX
for the sender address domain
- dns(dns(machine($rcpt), "MX"), "A") would give us the comma separated
list of IP addresses for the sender address domain MX
- $addr would be set up as the sender machine IP by milter-greylist
- and the >= operator would check if $addr is a substring of the list of
IP addresses for the sender address domain MX.



That's just rough ideas, I'm not sure there is really something to do
with it. What do you think?


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.