Yahoo Groups archive
Thread
2005-06-29 by Matthias Scheler
Hello, I really like the flexibility of the ACLs in "milter-greylist" 2.0. I would be nice to be able to use them for filtering e-mails, too, by adding "acl blacklist" which will return a 5xx error. Opinions? Kind regards -- Matthias Scheler http://scheler.de/~matthias/
2005-06-29 by manu@netbsd.org
Matthias Scheler <tron@...> wrote: > I really like the flexibility of the ACLs in "milter-greylist" 2.0. > I would be nice to be able to use them for filtering e-mails, too, > by adding "acl blacklist" which will return a 5xx error. So far my opinion was that other tools were doing it better, but it's true that with ACL, blacklists could be a damn nifty tool here that no other tool I know about currently do. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2005-06-29 by Matt Kettler
Matthias Scheler wrote: > Hello, > > I really like the flexibility of the ACLs in "milter-greylist" 2.0. > I would be nice to be able to use them for filtering e-mails, too, > by adding "acl blacklist" which will return a 5xx error. > > Opinions? I like that idea. Although it at first sounds like you could implement this in /etc/mail/access, this is considerably more flexible. By having it in milter-greylist, you can take advantage of ACL order to whitelist and/or greylist some addresses first, then blacklist others. You can also take advantage of the flexible syntax (regular expressions, etc.)
2005-06-29 by Dan Hollis
On Wed, 29 Jun 2005 manu@... wrote: > Matthias Scheler <tron@...> wrote: > > I really like the flexibility of the ACLs in "milter-greylist" 2.0. > > I would be nice to be able to use them for filtering e-mails, too, > > by adding "acl blacklist" which will return a 5xx error. > So far my opinion was that other tools were doing it better, but it's > true that with ACL, blacklists could be a damn nifty tool here that no > other tool I know about currently do. If milter-greylist could also blacklist, it means there's one less milter people have to run. Also, the blacklist milters i've run all seem to suck badly. milter-greylist supporting blacklists would be much better... -Dan
2005-06-29 by Dan Hollis
On Wed, 29 Jun 2005, Matt Kettler wrote: > I like that idea. Although it at first sounds like you could implement this in > /etc/mail/access, this is considerably more flexible. > > By having it in milter-greylist, you can take advantage of ACL order to > whitelist and/or greylist some addresses first, then blacklist others. > > You can also take advantage of the flexible syntax (regular expressions, etc.) Yes, milter-greylist syntax is much more flexible and convenient than /etc/mail/access. For instance you can do netmasks in greylist.conf and you cannot do it in /etc/mail/access That alone is worth it. -Dan
2005-06-30 by Matthias Scheler
On Wed, Jun 29, 2005 at 05:21:28PM -0400, Matt Kettler wrote: > Although it at first sounds like you could implement this in > /etc/mail/access, ... That's what I'm using now. > ... this is considerably more flexible. Exactly. > You can also take advantage of the flexible syntax (regular expressions, > etc.) Yes, *and* multiple criterias. "/etc/mail/access" can only check for one thing. BTW: how difficult would it be to add a "acl" filter for the "HELO" parameter? I'm thinking of adding something like ... acl blacklist helo zhadum.de ... to my setup. Kind regards -- Matthias Scheler http://scheler.de/~matthias/
2005-06-30 by Emmanuel Dreyfus
On Thu, Jun 30, 2005 at 11:05:01AM +0100, Matthias Scheler wrote: > BTW: how difficult would it be to add a "acl" filter for the "HELO" parameter? > > I'm thinking of adding something like ... > > acl blacklist helo zhadum.de > > ... to my setup. I feel the smell of bloatware :-) An other approach would be to write a second milter, called milter-acl, which would reuse milter-greylist's ACL code to only handle blacklist and whitelist. What are the benefit of having both functionnalities in the same milter? -- Emmanuel Dreyfus manu@...
2005-06-30 by Dan Hollis
On Thu, 30 Jun 2005, Emmanuel Dreyfus wrote: > On Thu, Jun 30, 2005 at 11:05:01AM +0100, Matthias Scheler wrote: > > BTW: how difficult would it be to add a "acl" filter for the "HELO" parameter? > > I'm thinking of adding something like ... > > acl blacklist helo zhadum.de > > ... to my setup. > I feel the smell of bloatware :-) > An other approach would be to write a second milter, called milter-acl, > which would reuse milter-greylist's ACL code to only handle blacklist > and whitelist. > What are the benefit of having both functionnalities in the same milter? Less code redundancy Fewer points of failure (more daemons = more failure) Less memory usage (fewer daemons = less memory) More cpu efficient (fewer milters = less parsing the same message over and over) Fewer config files to mangle and maintain IMO milter-greylist could just be renamed milter-acl. It is already a complete acl system, only missing the blacklist feature. -Dan
2005-06-30 by Elrond
--- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> wrote: > I feel the smell of bloatware :-) Exactly, what I smelled... I hear, there's mime-defang for doing this sort of stuff. Anyone used it? > What are the benefit of having both functionnalities in the same milter? I rather see the problem here: Currently milter-greylist can only delay mails, but never "kill" them. That's good after all. Adding the possiblity of blacklisting opens it up to "Hey! Was it milter-greylist, which killed my valid mail?!". Now you can simply say "No, there's no way for it to permanently reject mail. it will only temporarilry reject it. And you should have gotten a warning, if it did so for too long."
2005-06-30 by Emmanuel Dreyfus
On Thu, Jun 30, 2005 at 11:20:56AM -0000, Elrond wrote: > --- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> > wrote: > > I feel the smell of bloatware :-) > Exactly, what I smelled... But it integrates not so bad. I drafted a patch for blacklist support in 30 minutes, the diff is only 210 lines long. I'll publish it later today. > Adding the possiblity of blacklisting opens it up to "Hey! Was it > milter-greylist, which killed my valid mail?!". Now you can simply say > "No, there's no way for it to permanently reject mail. it will only > temporarilry reject it. And you should have gotten a warning, if it > did so for too long." OTOH, if you don't use the "blacklist" keyword, it cannot reject. -- Emmanuel Dreyfus manu@...
2005-06-30 by Fredrik Nyberg DC
Elrond wrote: > --- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> > wrote: > >>I feel the smell of bloatware :-) > > > Exactly, what I smelled... > > I hear, there's mime-defang for doing this sort of stuff. > Anyone used it? Yes, but MIMEDefang is singethreaded perl with a C-multiplexor. The memoryfootprint is huge comapred to C, and a milter that only parses acls for blacklisting will be puny, since it will only use the smfi_helo callback and the acl-parsing routines. > > >>What are the benefit of having both functionnalities in the same milter? > > > I rather see the problem here: > > Currently milter-greylist can only delay mails, but never "kill" them. > That's good after all. > Adding the possiblity of blacklisting opens it up to "Hey! Was it > milter-greylist, which killed my valid mail?!". Now you can simply say > "No, there's no way for it to permanently reject mail. it will only > temporarilry reject it. And you should have gotten a warning, if it > did so for too long." I would agree. I wrote a milter in C for using amavisd and spamd and some other stuff and I can't recommend feature bloat. The project died due to inflexibility of C, and we now use said MIMEDefang. Also, if a milter fails, it is easy to determine why if the milter only does one thing. So I would recommend small milters in C or bloatware in some other language or framework. CPU and memory will tend to get cheaper, your labor will (hopefully) not. My two cents. Cheers, Fredrik Nyberg
2005-06-30 by William F. Dudley Jr.
If this is a democracy, then I vote in favor of the blacklist feature. This opens up some neat possiblities with reading /var/log/maillog and using information gleaned from that to dynamically update the blacklist entries. See http://www.acme.com/mail_filtering/ for some examples of how to do this. Bill Dudley
> On Thu, Jun 30, 2005 at 11:20:56AM -0000, Elrond wrote: > > --- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> > > wrote: > > > I feel the smell of bloatware :-) > > Exactly, what I smelled... > > But it integrates not so bad. I drafted a patch for blacklist support in > 30 minutes, the diff is only 210 lines long. I'll publish it later today. > > > Adding the possiblity of blacklisting opens it up to "Hey! Was it > > milter-greylist, which killed my valid mail?!". Now you can simply say > > "No, there's no way for it to permanently reject mail. it will only > > temporarilry reject it. And you should have gotten a warning, if it > > did so for too long." > > OTOH, if you don't use the "blacklist" keyword, it cannot reject. > > -- > Emmanuel Dreyfus > manu@... > > > > Yahoo! Groups Links > > > > >
2005-06-30 by Matt Kettler
Emmanuel Dreyfus wrote:
> On Thu, Jun 30, 2005 at 11:05:01AM +0100, Matthias Scheler wrote:
>
>>BTW: how difficult would it be to add a "acl" filter for the "HELO" parameter?
>>
>>I'm thinking of adding something like ...
>>
>>acl blacklist helo zhadum.de
>>
>>... to my setup.
>
>
> I feel the smell of bloatware :-)
I would agree, but this should be a fairly lightweight feature, and has lots of
flexibility a separate milter would not have.
>
> An other approach would be to write a second milter, called milter-acl,
> which would reuse milter-greylist's ACL code to only handle blacklist
> and whitelist.
>
> What are the benefit of having both functionnalities in the same milter?
Read the thread from the top up.. it's all about order-of-operations.
Think about how you'd get this effect using your solution.
(pardon the pseudo-code notation, it's done for simplicity)
white user@...
grey [a-z]{0,9}@...
black *@...
grey *@...
You couldn't. The inter-woven iterations of white, grey, and black here are
impossible to reproduce without being one milter.
I can come up with considerably more complex ACLs here that would back-and-forth
the features numerous times for the same domain, breaking out sub-classes of
users, etc.2005-06-30 by Dan Hollis
On Thu, 30 Jun 2005, Emmanuel Dreyfus wrote: > OTOH, if you don't use the "blacklist" keyword, it cannot reject. Exactly. -Dan
2005-06-30 by manu@netbsd.org
William F. Dudley Jr. <bill@...> wrote: > If this is a democracy, then I vote in favor of the blacklist feature. It's as democratic as the European Union: you can tell your opinion, but at the end, the decision is taken by self-appointed technocrats. :-) -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2005-06-30 by Elrond
--- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...>
wrote:
> OTOH, if you don't use the "blacklist" keyword, it cannot reject.
Well, part of what I meant was "dummy users".
With blacklisting in the milter, it's easy to screw your mailsystem up.
without it, theere's exactly one way: Set the greylist interval to
about 3 to 5 days.
Elrond2005-06-30 by Elrond
> It's as democratic as the European Union: you can tell your opinion, but
> at the end, the decision is taken by self-appointed technocrats. :-)
*G*
May I cite you with these two lines?
Elrond2005-06-30 by Dan Hollis
On Thu, 30 Jun 2005, Elrond wrote: > --- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> > wrote: > > OTOH, if you don't use the "blacklist" keyword, it cannot reject. > Well, part of what I meant was "dummy users". > With blacklisting in the milter, it's easy to screw your mailsystem up. > without it, theere's exactly one way: Set the greylist interval to > about 3 to 5 days. This is the same risk with any filter (procmail, sendmail access, etc). Preventing users from doing dangerous things also prevents them from doing useful things. It's not sufficient argument against implementing such features (or, might as well remove 'su' from all unix systems). -Dan
2005-07-01 by manu@netbsd.org
Elrond <yahoo.com@...> wrote: > > It's as democratic as the European Union: you can tell your opinion, but > > at the end, the decision is taken by self-appointed technocrats. :-) > > *G* > > May I cite you with these two lines? Of course. You are also encouraged to translate and spread my thought on the european constitution: http://hcpnet.free.fr/tece (summary: it's unacceptable, because it's anti-democratic) -- Emmanuel Dreyfus Publicité subliminale: achetez ce livre! http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php manu@...