Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Suggested improvements to dacl processing: what do you prefer?

2009-10-25 by Fredrik Pettai

On Oct 25, 2009, at 8:23 AM, manu@... wrote:
> Rudy Eschauzier <reschauzier@...> wrote:
>
> > 1. Introduce a new keyword, e.g 'skipdacl'
> >
> > 2. Only have messages that get greylisted by a racl command pass  
> through
> > the dacl stage. All globally whitelisted messages (through auth or  
> global
> > spf for example) whill skip dacl, as will auto-white listed  
> messages.
> >
> > 3. Base the precedence of dacl over racl commands on the line  
> number.
>
> I have concerns with options 2 and 3 because they modify the way
> existing setups work. skipdacl looks better to me (I disklike the  
> name,
> though, but this is not a big concern)"
>
I'm for option 3, or an way that gets that functionality to mix racls  
& dacls, since I think it adds more flexibility, at least for the dkim  
& body case as I see it.

Today, or at least then I tested this, racls will greylist all mails  
(then using racl greylist default) unless they are whitelisted by the  
configuration. When having the philosophy "whitelist all known or  
trusted sources, give penalty to known spam sources, and greylist the  
rest", the dacl with the rules for checking for example dkim, will  
become more or less useless. So, in order to do whitelisting of dkim,  
I have to skip the racl stage (racl whitelist default). And then I  
loose the major benefit of using greylisting, which of course I don't  
want to.

Mixing racl and dacl will be more CPU intensive than doing them in the  
current order, but I think it adds more flexibility if it's possible  
to be able to do whitelisting (or greylisting and perhaps even  
blacklisting) on both RCPT and DATA before falling back on the default.

As an example, I would like to be able to do something similar to this.
(where the acls are parsed in linear order)

racl whitelist list "my network"
racl whitelist list "awl admin recipients"
racl whitelist list "broken mta"
dacl whitelist dkim pass
dacl whitelist body /^-----BEGIN PGP.*MESSAGE-----$/
racl greylist sm_macro "maybe_forged" delay 1h autowhite 3d
racl greylist dnsrbl "SPAMHAUS" delay 24h autowhite 3d
dacl greylist dkim fail delay 1h autowhite 3d
*acl greylist default delay 30m autowhite 30d

*I think "racl greylist default" would be misleading in this  
configuration case. Correct me if I'm wrong here, but I also believe  
that the way "racl greylist default delay ... autowhite ..." works,  
wasn't possible to configure with dacl (see it as another suggestion  
for enhancement :-)).

Regards,
/P

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.