Milter-greylist

Bob Smith wrote:

> I was thinking of something like
> 
> racl whitelist dns foo.dynip.com lookup 3h
> 
> to ease the load.

So, you're trying to use milter-greylist's database to get around the fact that 
the DNS entry that has a very short TTL. I don't know that's a good solution 
from a technical correctness point of view. It's essentially a dirty, ugly hack.

>  The actual IP address which corresponds to 
> foo.dynip.com changes only when my home machine reboots and thus 
> acquires another dynamic IP address.  This is uncommon enough that a 
> check on every incoming message is way too drastic.
> 
> Is this design reasonable, or would you suggest something else?

If you can, I would suggest using SMTP AUTH or TLS instead. That would work no 
matter what your home IP address is, or how often it changes.

On the bonus side, you can also use the SMTP AUTH on your MTA to allow relaying, 
if you need it, without making your server an open relay.

Fundamentally, I think the whole approach of trying to use forward DNS of a 
dyndns.org name to see if a particular host is your home pc is a bad solution. 
"round peg in badly hacked into square hole" comes to mind here.

Get your home PC to authenticate connections or at least identify itself with a 
SSL certificate. That's what these features of SMTP exist for. SMTP AUTH was 
created largely to identify authorized users that wander around across different 
IPs.

TLS has a lot of other uses, but it's a DAMN solid way to validate a server is 
who it says without having to trust its IP. It has the advantage of being 
server-centric instead of user centric like SMTP AUTH.

Depending on what your home PC is doing one or the other should work. If it's 
running an email client, use SMTP AUTH. If it's running an email server, use TLS.