Milter-greylist

Hello the list!

For anyone who's interested in generating a whitelist or greylist from
Active Directory using OpenLDAP (the example below is for a whitelist),
here's a script that should work (please excuse any mangled line
feeds!). The part 1 and 2 files were derived from greylist.conf.sample.
The script doesn't actually instate the conf file and restart the
greylist milter as this is done in the cron script that calls this
script.


# /usr/local/bin/get_ad_emails
#!/bin/sh

rm /tmp/ldapdump.txt
rm /tmp/alluseremails.txt

ldapsearch -Hldap://dc.domain.tld -x -D "user@..." -b
"ou=Staff,dc=domain,dc=tld" -u password -s sub "(objectclass=person)"
proxy Addresses > /tmp/ldapdump.txt

cat /tmp/ldapdump.txt | grep @emaildomain | sed 's/proxyAddresses:
SMTP:/ /' | sed 's/proxyAddresses: smtp:/ /' > /tmp/alluseremails.txt

rm /usr/local/etc/mail/greylist.conf.new
cat /usr/local/etc/mail/greylist.conf.part1 >>
/usr/local/etc/mail/greylist.conf.new
printf "\n"  >> /usr/local/etc/mail/greylist.conf.new
printf "# Whitelist\n" >> /usr/local/etc/mail/greylist.conf.new
printf "list \0042local users\0042 rcpt {  \\" >>
/usr/local/etc/mail/greylist.conf.new
printf "\n" >> /usr/local/etc/mail/greylist.conf.new
cat /tmp/alluseremails.txt | sed 's/$/ \\/g' >>
/usr/local/etc/mail/greylist.conf.new
printf "}\n" >> /usr/local/etc/mail/greylist.conf.new
printf "\n" >> /usr/local/etc/mail/greylist.conf.new
cat /usr/local/etc/mail/greylist.conf.part2 >>
/usr/local/etc/mail/greylist.conf.new


Hope this saves someone else some pain!

Chris Martin

On Mon, Apr 30, 2007 at 04:11:50PM +1000, Christopher A. Martin wrote:
> For anyone who's interested in generating a whitelist or greylist from
> Active Directory using OpenLDAP (the example below is for a whitelist),

You know that latest versions of milter-greylist are able to dynamically
query a LDAP directory, right? It's even possible to make per-recipient
whitelists.

-- 
Emmanuel Dreyfus
manu@...

I had noticed it on the to-do list at
http://hcpnet.free.fr/milter-greylist/ but there isn't much info there,
not even sample configs or howtos. I also checked the README and
couldn't find any references to LDAP, so I assumed that it wasn't ready
for production environments, or the version that had the feature hadn't
been released into FreeBSD ports.

 

Also, wouldn't the LDAP queries take a (relatively) long time and a lot
(relatively) more resources than this method, or are the
differences/loads in question not worth comparing/worrying about? We are
a high traffic site but only about 150 active addresses, so I would have
thought this method more suitable anyway, but, again, it might not be
enough to worry about.

 

I am glad to at least have greylisting working, now, which has cut our
quarantine count down to about 100 a day requiring human oversight.

 

________________________________

From: milter-greylist@yahoogroups.com
[mailto:milter-greylist@yahoogroups.com] On Behalf Of Emmanuel Dreyfus
Sent: Monday, 30 April 2007 4:32 PM
To: milter-greylist@yahoogroups.com
Subject: Re: [milter-greylist] How to build a whitelist from Windows
Active Directory

 

On Mon, Apr 30, 2007 at 04:11:50PM +1000, Christopher A. Martin wrote:
> For anyone who's interested in generating a whitelist or greylist from
> Active Directory using OpenLDAP (the example below is for a
whitelist),

You know that latest versions of milter-greylist are able to dynamically
query a LDAP directory, right? It's even possible to make per-recipient
whitelists.

-- 
Emmanuel Dreyfus
manu@... <mailto:manu%40netbsd.org>

On Mon, Apr 30, 2007 at 11:43:51PM +1000, Christopher A. Martin wrote:
> I had noticed it on the to-do list at
> http://hcpnet.free.fr/milter-greylist/ but there isn't much info there,
> not even sample configs or howtos. I also checked the README and
> couldn't find any references to LDAP, so I assumed that it wasn't ready
> for production environments, or the version that had the feature hadn't
> been released into FreeBSD ports.

It's 4.0 alpha2, ou can get it from FTP.

In order to make LDAP queries, you need to configure --with-libcurl, then
you can use the urlcheck feature with an LDAP URL.

> Also, wouldn't the LDAP queries take a (relatively) long time and a lot
> (relatively) more resources than this method, or are the
> differences/loads in question not worth comparing/worrying about? We are
> a high traffic site but only about 150 active addresses, so I would have
> thought this method more suitable anyway, but, again, it might not be
> enough to worry about.

I use a local replica (no SSL, no authentication)

-- 
Emmanuel Dreyfus
manu@...