Milter-greylist

I'm finally (thanks to Emanuel's patch in RC6) about to implement
milter-greylist 3.x.

In doing this, I'm looking to add several DNSRBLs to my setup for greylisting.

There are several DNSRBL's out there that return multiple lists at once.

Most of these work by returning one A record per matching RBL. Although a few
RBLs work in a bitwise-or fashion to create a single record, I'll ignore them
for now.

My question is, if I include multiple DNSRBL ACLs all using the same list, but
testing different values, will milter-greylist do multiple queries? Or will it
do one and save the results and each other check will just look at the existing
data?


ie: the SBL-XBL list can return one of 4 different codes. So I might make ACL's
like this:

dnsrbl "SPAMHAUS SBL"  sbl-xbl.spamhaus.org 127.0.0.2
acl greylist dnsrbl "SPAMHAUS SBL" delay 4h

dnsrbl "SPAMHAUS XBL CBL"  sbl-xbl.spamhaus.org 127.0.0.4
acl greylist dnsrbl "SPAMHAUS XBL CBL" delay 4h

dnsrbl "SPAMHAUS XBL NJABL"  sbl-xbl.spamhaus.org 127.0.0.5
acl greylist dnsrbl "SPAMHAUS XBL NJABL" delay 4h

#note: code 6 seems unused now, but I'm including for completeness
dnsrbl "SPAMHAUS XBL OTHER"  sbl-xbl.spamhaus.org 127.0.0.6
acl greylist dnsrbl "SPAMHAUS XBL OTHER" delay 4h


Would this be efficient in milter-greylist?

If not, is there a way in the dnsrbl section to include a range of matches?

ie:

dnsrbl "SPAMHAUS SBLXBL"  sbl-xbl.spamhaus.org 127.0.0.[2456]



Also, on the side of efficiency, if a message gets greylisted, whitelisted, etc,
 by a rule early in the file before reaching the dnsrbl, will there be a DNS
query, or will it be skipped?

> My question is, if I include multiple DNSRBL ACLs all using the same list, but
> testing different values, will milter-greylist do multiple queries? Or will it
> do one and save the results and each other check will just look at the existing
> data?

Havent seen the code, but I bet it would do several queries.

Even if MG caches the data it shouldnt need to, you should be running a
local DNS cache system.  This will offload unecessary traffic to the
RBLs servers.


-Raul Dias

Raul Dias <raul@...> wrote:

> Even if MG caches the data it shouldnt need to, you should be running a
> local DNS cache system.  This will offload unecessary traffic to the
> RBLs servers.

Even if you don't have a local DNS on the machine, redundant requests
load your site's DNS, not the RBL one.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

manu@... wrote:
> Raul Dias <raul@...> wrote:
> 
>> Even if MG caches the data it shouldnt need to, you should be running a
>> local DNS cache system.  This will offload unecessary traffic to the
>> RBLs servers.
> 
> Even if you don't have a local DNS on the machine, redundant requests
> load your site's DNS, not the RBL one.
> 

True.. and I do have a caching nameserver on the same host.

I was mostly thinking of it from a local load standpoint. Trying to structure my
ACLs to be as efficient as possible.


That said, nobody answered my second question:

> Also, on the side of efficiency, if a message gets greylisted, whitelisted, etc,
>  by a rule early in the file before reaching the dnsrbl, will there be a DNS
> query, or will it be skipped?

i.e.: is it worth trying to put a few static rules ahead of the RBL query to try
to reduce the load, or is that pointless?

Matt Kettler <mkettler@...> wrote:

> > Also, on the side of efficiency, if a message gets greylisted,
> > whitelisted, etc, by a rule early in the file before reaching the
> > dnsrbl, will there be a DNS query, or will it be skipped?

No, the current code is quite dumb and it will always do a DNS requests
when going through an acl dnsrbl line.
 
-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...