Milter-greylist

here are some features I think would be nice to add one day in a release 
of milter-greylist:

- sender MX validity : the idea is to able to identify sender domains 
whose MX is "bad", ie points to at least one IP pertaining to an 
IANA-reserved block : loopback, private use, multicast, broadcast, 
testing, link-local, and so on (see http://www.faqs.org/rfcs/rfc3330.html).
Care should be taken to account for CNAME nesting (with max recursion 
counter and loop detection), DNS temporary failures, and IPv6 counterparts.
Sendmail 8.14 introduced such feature, but adding it to milter-greylist 
is still interesting because of integration in ACL system.

example of use :

	racl blacklist mx bad msg "invalid sender MX"


- sender MX client matching : the idea is to setup a poor man's SPF 
check for domains who don't publish SPF records, and have the same 
servers for inbound and outbound traffic (a quite common case): if a 
mail from domain foo.bar comes from an IP which is listed as MX for 
foo.bar, then we can quite trust it and skip greylisting. An example of 
use :

	racl whitelist mx match


Of course above examples are only suggestions, the actual syntax may differ.

-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

Benoit Branciard schreef:
> here are some features I think would be nice to add one day in a release 
> of milter-greylist:
> 
> - sender MX validity : the idea is to able to identify sender domains 
> whose MX is "bad", ie points to at least one IP pertaining to an 
> IANA-reserved block : loopback, private use, multicast, broadcast, 
> testing, link-local, and so on (see http://www.faqs.org/rfcs/rfc3330.html).
> Care should be taken to account for CNAME nesting (with max recursion 
> counter and loop detection), DNS temporary failures, and IPv6 counterparts.
> Sendmail 8.14 introduced such feature, but adding it to milter-greylist 
> is still interesting because of integration in ACL system.
> 
> example of use :
> 
> 	racl blacklist mx bad msg "invalid sender MX"
> 
> 
> - sender MX client matching : the idea is to setup a poor man's SPF 
> check for domains who don't publish SPF records, and have the same 
> servers for inbound and outbound traffic (a quite common case): if a 
> mail from domain foo.bar comes from an IP which is listed as MX for 
> foo.bar, then we can quite trust it and skip greylisting. An example of 
> use :
> 
> 	racl whitelist mx match
> 
> 
> Of course above examples are only suggestions, the actual syntax may differ.

If we can verify the sender ip address is matching the MX record for the 
   sending domain, then whitelist the message. It works better in 
practive when coupled with the -L command line modifier as this is very 
similar to the "mailfarm" problem.

I have this exact same approach active with a urlcheck feature, and in 
the last year I have been using this with a modest email load on about 
200 mailboxes.

I can attest that it works well, and also diminishes the impact 
greylisting would otherwise make. This, being a network admin, is a good 
thing.

We have public email addresses on our website (info@) and with this 
modification I see no perceive no rise in the amount of spam that 
arrives in that box.

It mainly brings benefits and less impact to normal mailserver 
operation. The PHP implementation of this code is viewable here: 
https://webmail.coltex.nl/spam/mxhostcheck.txt

The code is available under the BSD license. Only requirement for using 
it is the host binary.

Kind regards,

Seth

Benoit Branciard <benoit.branciard@...> wrote:

> - sender MX validity : the idea is to able to identify sender domains
> whose MX is "bad", ie points to at least one IP pertaining to an 
> IANA-reserved block : loopback, private use, multicast, broadcast, 
> testing, link-local, and so on (see http://www.faqs.org/rfcs/rfc3330.html).

Perhaps we could perform a lookup of the MX address against a DNSRBL,
and build a DNSRBL of IANA-reserved block? It would make updates a bit
easier.

The only problem is the case of domains with multiple MX, one of them
being bad. How should we handle that?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

> Benoit Branciard <benoit.branciard@...> wrote:
>
>> - sender MX validity : the idea is to able to identify sender domains
>> whose MX is "bad", ie points to at least one IP pertaining to an
>> IANA-reserved block : loopback, private use, multicast, broadcast,
>> testing, link-local, and so on (see
>> http://www.faqs.org/rfcs/rfc3330.html).
>
> Perhaps we could perform a lookup of the MX address against a DNSRBL,
> and build a DNSRBL of IANA-reserved block? It would make updates a bit
> easier.

You mean like the widely available and maintained bogons list? The one
that lists the networks which are currently not assigned.

It already exists.

> The only problem is the case of domains with multiple MX, one of them
> being bad. How should we handle that?

I would ignore single bad records. The terms rbl, isps and accidents seem
to cross my mind. As in a whole ISP being blocked from sending or
receiving mail because a signle system ended up on a RBL.

I have seen this recurring on a number of cases here in the Netherlands
where a mail server from a ISP were tagged on a RBL because of dubious
reasons. This can have a very disruptive effect to email delivery.

A good compromise would be a balance. If there are more "bad" MX records
(rbl or other) then good MX records available greylist or blacklist.

e.g. where bad MX records > 0.5 good records.
racl mx blacklist badrbl 0.5

Cheers,

Seth

Benoit Branciard <benoit.branciard@...> wrote:

>       racl blacklist mx bad msg "invalid sender MX"
>       racl whitelist mx match

It seems we have various tests we want to perform against a domain's
MXes. Let's try to figure a configuration syntax general enough to avoid
the thing getting too messy.

Two ideas that need some feedback and improvement:

First idea:
Existing tests such as DNSRBL can be extended to work on various data:
sender IP, sender DNS, sender MX IP, sender MX DNS, and so on.

We could use format strings to help DNSRBL cover a larger range of
situations. We already have:
%i      sender IP address
%d      sender DNS address
%mf     sender e-mail domain
We could add:
%xi     MX IP address
%xd     MX DNS address
%n{}    a reversed dot-separated item. eg: if sender IP address is
10.1.2.3, %n{%i} gives you 3.2.1.10.
 
Then, DNSRBL definitions can be improved like this:
dnsrbl "foo" "%n{%i}.dnsrbl.example.com" 127.0.0.0/8

You'll note that this syntax accomodate the use of either DNSRBL or
RHSRBL, based on whatever you want: sender machine, MX, sender domain,
receiver domain.

Given that it would not work only for DNSRBL, perhaps it's time to
rename it (it would make config parsing a bit easier), and make it even
more general by allowing the DNS query type to be specified:
dnslookup "foo" "%n{%i}.dnsrbl.example.com" A 127.0.0.0/8

Problem to solve: for a given domain, MX is usually not unique. The %x
thing quickly tend to be difficult to define correctly. Suggestions
welcome.


Second idea:
Clauses are about matching a condition. We have different kind of tests,
with different syntaxes:
rcpt foo@...    variable, value 
rcptcount >= 2          variable, operator, value
dnsrbl "foo"            reference to a condition defined earlier.

Moreover, we have variables that can be set by the urlcheck clause
$foo >= 2

There is room for unifying a lot of things. instead of writing
rcpt foo@...
we could write
$rcpt == "foo@..."

Of course that looks heavier, but that opens the way for adding more
operators (== for exact match, =~ for regexp match, <= for substring
match), and we can think about adding functions and logical operators.

Example:
dns(dns(machine($rcpt), "MX"), "A") >= $addr

- $rcpt would be set up as the recipient e-mail by milter-greylist
- machine($rcpt) would be the machine part of $rcpt (after the @), that
is: the sender address domain
- dns(machine($rcpt), "MX") would give us the comma separated list of MX
for the sender address domain
- dns(dns(machine($rcpt), "MX"), "A") would give us the comma separated
list of IP addresses for the sender address domain MX
- $addr would be set up as the sender machine IP by milter-greylist
- and the >= operator would check if $addr is a substring of the list of
IP addresses for the sender address domain MX.



That's just rough ideas, I'm not sure there is really something to do
with it. What do you think?


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi all,
Ok, first of all many thanks to everyone who helped to develop this
great piece of opensource product. We are seriously considering it for
a company who originally intended to purchase a commercial product
10.000 Euro worth.

Regarding the features for future releases, I agree with Benoit that
the concept of the "poor man SPF record" and "ala sendmail's
Feature('badMX')" would help to whitelist some "promissing" senders.

I could also see a further improvement in multi-MX scenario:
What usually happens is that when a sender wants to send a mail to say
joe@... where:
MX 10 mx1.example.com
MX 50 mx2.example.com
.. then mx1.example.com is contacted first. Now if that machine is
running milter-greylist, it receives 451 temp error and vast majority
of senders go immediately (say in 1 minute) to mx2.example.com.
If mx2 is also running milter-greylist, we could (possibly) whitelist
those senders on mx2 as I would not expect spammers to try mx2 after
being rejected at mx1.
Also, similarly, senders trying immediately mx2 (without trying mx1
first) are highly suspicious.

Other suggestion:
Limit the greylist delay period. Example: I want to set greylist delay
to 15 minutes and, but I also want to set the maximum retry delay to 1
day and while-list to 7 days. This means a sender will be forced to
wait at least 15 minutes, but also is expected retry in at least 24
hours. Those who pass would be whitelisted for 7 days.
I am not sure whether this is possible at the moment.

Thanks a lot again.
Ondrej


--- In milter-greylist@yahoogroups.com, Benoit Branciard
<benoit.branciard@...> wrote:
>
> here are some features I think would be nice to add one day in a
release 
> of milter-greylist:
> 
> - sender MX validity : the idea is to able to identify sender domains 
> whose MX is "bad", ie points to at least one IP pertaining to an 
> IANA-reserved block : loopback, private use, multicast, broadcast, 
> testing, link-local, and so on (see
http://www.faqs.org/rfcs/rfc3330.html).
> Care should be taken to account for CNAME nesting (with max recursion 
> counter and loop detection), DNS temporary failures, and IPv6
counterparts.
> Sendmail 8.14 introduced such feature, but adding it to milter-greylist 
> is still interesting because of integration in ACL system.
> 
> example of use :
> 
> 	racl blacklist mx bad msg "invalid sender MX"
> 
> 
> - sender MX client matching : the idea is to setup a poor man's SPF 
> check for domains who don't publish SPF records, and have the same 
> servers for inbound and outbound traffic (a quite common case): if a 
> mail from domain foo.bar comes from an IP which is listed as MX for 
> foo.bar, then we can quite trust it and skip greylisting. An example of 
> use :
> 
> 	racl whitelist mx match
> 
> 
> Of course above examples are only suggestions, the actual syntax may
differ.

> 
> -- 
> Ce message a ete verifie par MailScanner
> pour des virus ou des polluriels et rien de
> suspect n'a ete trouve.
>

Hi, ... It s not a good idea to do this, i have seen spammes which go through all mx records as long as they get a temp error in less than 10 secs but don t 

Hi Michael,

see below:

> 
> It's not a good idea to do this, i have seen spammes which go
through all
> mx records as long as they get a temp error in less than 10 secs but
don't
> come back again.
> 
Ok, I did not know that - if it is spammers common practice, then
fine. I just wanted to say that some companies might see greylisting
as maybe "too strong weapon" and that they would welcome anything to
help with whitelisting.

> 
> There may be problems with mx1 so you don't see the sender trying
mx1 first

True.
> You should read the docs (man 5 greylist.conf) for milter-greylist.
> For your example you should add the following lines in your
greylist.conf
> 
Right, I should have read the documentation more carefully!
But speaking about the documentation - it should be stated there what
actually blacklisting means. Does it mean that instead of 451
temperror the sender receives 550 harderror?

Again, good stuff, greylisting+SPF in one package -> sexy combination!
I can not wait to see DKIM to be implemented as well.
The only disadvantage with DKIM is that you have to receive the whole
message to judge - an that makes it a bit prone to false positives.
But still.

Ondrej

... Yes blacklisting is a 5xx harderror. But we don t use it in milter-greylist ... We had some problems with spf, as 1. there are more spammes that have spf

> We had some problems with spf, as
> 
> 1. there are more spammes that have spf records then regular users
Well, I noticed some domains have "+all" or similar, but that is why
you have the "self" operator here , right?
> 2. forwarding breakes spf for some forwarder, and i have found no
easy way
I know SPF breaks forwarding, but I assumed mostly people forward in
"procmail" phase which does SRS... I thought there is minimum
forwarders without SRS out there.

I was hoping to avoid spamassasin as it can not act in early SMTP stage.

> The following site has many good methods to reduce spam.
> http://www.acme.com/mail_filtering/introduction_frameset.html
> 
I know the site, very good, but a bit obsolete (does not cover DKIM).
In general is DKIM maybe better than SPF, as:
- it can not be so easily abused by spammers
- does not break forwarding

Anyway, in long term I would like to base the company antispam
solution on something else than greylisting as it is not very "nice"
approach. Unfortunately, there is nothing else so effective at the
moment....

>

... i have seen spammer domains without +all, which would not be cached by self. ... We had the problem with some users, who forwarded their email without srs,

ondrej_v0 <ondrej_v0@...> wrote:

> I can not wait to see DKIM to be implemented as well.
> The only disadvantage with DKIM is that you have to receive the whole
> message to judge - an that makes it a bit prone to false positives.
> But still.

I started looking at DKIM but I stalled because of that problem (See the
message below). How would you use DKIM in milter-greylist?

--- cut here ---
Emmanuel Dreyfus <manu@...> wrote:

> On Tue, Nov 13, 2007 at 04:54:17AM -0000, Jim Hermann wrote:
> > It contains this Overview, among other API documentation:
> >     5. stat = dkim_body(dkim, ...);
> >           + pass  to  libdkim a chunk of the body that should be included
> >             in computation of the digest to be verified (currently all of
> >             it)
> 
> Ok, that's how it works (I'm discovering, I was completely clueless).
> That means DKIM and DomainKeys can only be checked in a DATA-stage ACL.
> At that time, the greylisting was already taken. I wonder how that could
> be used.
--- cut here ---

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Michael Menge a \ufffdcrit :
> Quoting ondrej_v0 <ondrej_v0@...>:
> 
>> But speaking about the documentation - it should be stated there what
>> actually blacklisting means. Does it mean that instead of 451
>> temperror the sender receives 550 harderror?
> 
> Yes blacklisting is a 5xx harderror. But we don't use it in milter-greylist

Yes you can use blacklisting in milter-greylist (at least 4.0):

acl blacklist addr aa.bb.cc.dd msg "I don't like you"

> We had some problems with spf, as
> 
> 1. there are more spammes that have spf records then regular users

The "good way" is to combine greylisting, SPF and "reputation", by means 
of DNSRBLs and DNSWLs. Milter-greylist 4.0 can do that:

- whitelist "local" clients (those who are expected to use your SMTP 
server anyway)
- whitelist "known good" clients who are listed in DNSWLs or 
locally-crafted whitelist (including ISP server farms which do not pass 
greylisting)
- blacklist "unwanted" clients whith DNSRBL (DUL and otherwise dynamic 
ISP clients)
- "heavy" greylist (long delay) "suspicious" clients (those listed in 
exploits DNSRBL lists, or whose DNS name matches a locally-defined 
regexp list)
- whitelist SPF-pass clients (except those who have a fake "+all" record)
- "light" greylist (short delay) all other clients

you can also blacklist SPF-fail clients, and heavy greylist SPF-softfail 
clients, catching a few % more spam, but exposing to block legitimate 
but badly configured mail (non SRS-compliant forwarding...).

The idea is that only unknown clients should hit the last-resort 
greylist ACL.

In that order, MX validity and MX-as-SPF (poor man SPF) tests would be 
great to help reduce the hit rate of this last-resort ACL.

> 2. forwarding breakes spf for some forwarder, and i have found no easy way
>    for our users to whitelist the forwarding mailserver as they normaly
>    don't know the ip

Forwarders shoud use SRS. But if you combine with DNS whitelists, 
chances are forwarders are already whitelisted.

-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

> 
> The idea is that only unknown clients should hit the last-resort 
> greylist ACL.
Absolutely agree here.
> 
> In that order, MX validity and MX-as-SPF (poor man SPF) tests would be 
> great to help reduce the hit rate of this last-resort ACL.
Agree here as well.
I might add - some forward vs. reverse DNS checks would tell us
something, too. Anyway, the concept of "poor man SPF" is good.
> 
> 
> Forwarders shoud use SRS. But if you combine with DNS whitelists, 
> chances are forwarders are already whitelisted.
> 
I agree here - SRS should be implemented on mail forwarders - not only
because it breaks SPF - it is just fair to claim your real identity.
And you want to send a mail on behalf of someone else? Hey, there is a
message body FROM field!

Regarding DKIM as Michael asked:
Yes, it only works after the DATA stage -> we have to receive the
whole mail. But you can still reject the message instead of "250 Ok,
message accepted for delivery".
But I agree, there is dkim-milter directly developed by sendmail
developers and it makes a little importance to merge it with this
software.

We should perhaps concentrate on what we could do at the SMTP-header
stage and make sure we have done it well.

Ondrej

> -- 
> Ce message a ete verifie par MailScanner
> pour des virus ou des polluriels et rien de
> suspect n'a ete trouve.
>

Hi, ... I think the great adwantage of milter-greylist is that it can reject an email befor the DATA stage. Therefor i don t like and would not use any 

... I know that i can blacklist with milter-greylist. But because of the falsepositiv of DNSRBL we use DNSRBL only to score emails in spamassasin. Any non

Michael Menge a \ufffdcrit :
> I think the great adwantage of milter-greylist is that it can reject an 
> email
> befor the DATA stage. Therefor i don't like and would not use any 
> features that
> would use information from the DATA stage.

I agree milter-greylist should rather concentrate on envelope (pre-DATA) 
stage, maybe SMTP-header stage (but here we already hit the DATA stage ?).

> An SQL backend for the greylist db would be more usefull as it would 
> obsolet
> the mx-sync protocol and the dump of the db

Mmmm... Is that a good idea anyway ? In case of multiple MXes, This 
introduces a single point of failure, or we need complicated setups to 
overcome (SQL mirroring with failover...). MX sync seems quite light and 
efficient in comparison.

More useful would be the ability to include files in greylist.conf, 
which would permit to split configuration in case of long witelists for 
example; I believe it's not possible currently. Another interesting 
feature would be to use SQL and/or LDAP backend for (white, black) 
lists, instead of greylist.conf: this would permit easy dynamic update 
and looong lists without performance/memory hit. Anoter way (which 
doesn't require milter-greylist changes) is to setup a local DNSBL 
server, but this lacks the power of regexps and domain matching.



-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

Michael Menge a \ufffdcrit :
> Also i don't think longer delay will reduce any spam. If it is a regular 
> mailserver it will only delay legetim mail. If it is a spammer who 
> retries it will have success after the longer delay, if not the short 
> delay would do the work also, (or have you seen any spammers that retry 
> after 4 minutes but not after 14?)

Greylisting works ONLY for non-regular MTAs, I think we agree here. 
That's why it is best to target it on clients who are supposed to be 
non-regular MTAs (ie spambots), for example by means of RBLs.

Currently the vast majority of spambots do not intentionally retry, 
except a recently-growing percentage of them who retry 2 or 3 times in 
intervals of 10 minutes (so YES, there are spammers who retry after 10 
minutes but not after 30 minutes, to illustrate your 4/14min. example). 
So setting a longer delay (1 hour) for suspicious clients *do* help 
blocking spam by catching these 3-time-retry spambots. Real MTAs will 
retry up to five days, so they should pass through long greylisting, in 
the event one of them were accidentally listed as "suspicious".

> 
> Ther are may MX-Server out ther that don't use SRS and with 40.000 
> accounts there are always users that use an MX-server that don't use SRS 
> and which
> is not on a whitelist. The only way would be to allow the user to 
> whitelist his forwarding mailserver, but as i don't have any way for a 
> normal user to figure out which is the forwarding mailserver i can't use 
> SPF to reject emails.

DNS whitelists greatly help for this. And I don't consider unfeasible to 
inform my users that SMTP servers which don't conform to "best 
practices" are exposed to longer delivery delays than well-configured ones.

-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

Benoit Branciard <benoit.branciard@...> wrote:

> I agree milter-greylist should rather concentrate on envelope (pre-DATA)
> stage, maybe SMTP-header stage (but here we already hit the DATA stage ?).

Yes, header are in the DATA stage.
 
[SQL backend to replace MX sync]
> Mmmm... Is that a good idea anyway ? In case of multiple MXes, This 
> introduces a single point of failure, or we need complicated setups to
> overcome (SQL mirroring with failover...). MX sync seems quite light and
> efficient in comparison.

Yes, I wouldn't give away the MX sync for something such overblown as a
distributed database. 

> More useful would be the ability to include files in greylist.conf, 
> which would permit to split configuration in case of long witelists for
> example; I believe it's not possible currently. Another interesting 
> feature would be to use SQL and/or LDAP backend for (white, black) 
> lists, instead of greylist.conf: this would permit easy dynamic update
> and looong lists without performance/memory hit. Anoter way (which 
> doesn't require milter-greylist changes) is to setup a local DNSBL 
> server, but this lacks the power of regexps and domain matching.

Heh... I have been using LDAP as a per-user configuration repository for
two years now. Users can set up in real-time their personnal greylist
settings, and even their personnal whitelist and blacklist.

I do that through the urlcheck clause, using an ldap:// URL.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Michael Menge <Michael.Menge@...-tuebingen.de> wrote:

> I know that i can blacklist with milter-greylist. But because of the
> falsepositiv of DNSRBL we use DNSRBL only to score emails in  
> spamassasin.

A nice use of DNSRBl is using them as a reputation: if a sender is caugh
in a DNSRBL, enforce a higher greylisting delay (eg: 12h instead of
15mn). That's quite efficient.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Tue, Jan 22, 2008 at 06:56:53PM +0100, Emmanuel Dreyfus wrote:
> A nice use of DNSRBl is using them as a reputation: if a sender is caugh
> in a DNSRBL, enforce a higher greylisting delay (eg: 12h instead of
> 15mn). That's quite efficient.

Indeed. That's the way I use "SORBS DUN". It blocks a lot of spam from
Zombie Windows PC. But my friend's Solaris machine still managed to
get his e-mail to me after a Solaris patch overwrote the "sendmail.cf
which stopped the machine from using its mail relay.

	Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/

--- In milter-greylist@yahoogroups.com, manu@... wrote:
> It seems we have various tests we want to perform against a domain's
> MXes. Let's try to figure a configuration syntax general enough to avoid
> the thing getting too messy.
> 
> Two ideas that need some feedback and improvement:
> 
> First idea:
> Existing tests such as DNSRBL can be extended to work on various data:
> sender IP, sender DNS, sender MX IP, sender MX DNS, and so on.
> 
> We could use format strings to help DNSRBL cover a larger range of
> situations. We already have:
> %i      sender IP address
> %d      sender DNS address
> %mf     sender e-mail domain
> We could add:
> %xi     MX IP address
> %xd     MX DNS address
> %n{}    a reversed dot-separated item. eg: if sender IP address is
> 10.1.2.3, %n{%i} gives you 3.2.1.10.
>  
> Then, DNSRBL definitions can be improved like this:
> dnsrbl "foo" "%n{%i}.dnsrbl.example.com" 127.0.0.0/8
> 
> You'll note that this syntax accomodate the use of either DNSRBL or
> RHSRBL, based on whatever you want: sender machine, MX, sender domain,
> receiver domain.
> 
> Given that it would not work only for DNSRBL, perhaps it's time to
> rename it (it would make config parsing a bit easier), and make it even
> more general by allowing the DNS query type to be specified:
> dnslookup "foo" "%n{%i}.dnsrbl.example.com" A 127.0.0.0/8
> 
> Problem to solve: for a given domain, MX is usually not unique. The %x
> thing quickly tend to be difficult to define correctly. Suggestions
> welcome.
> 
> 
> Second idea:
> Clauses are about matching a condition. We have different kind of tests,
> with different syntaxes:
> rcpt foo@...    variable, value 
> rcptcount >= 2          variable, operator, value
> dnsrbl "foo"            reference to a condition defined earlier.
> 
> Moreover, we have variables that can be set by the urlcheck clause
> $foo >= 2
> 
> There is room for unifying a lot of things. instead of writing
> rcpt foo@...
> we could write
> $rcpt == "foo@..."
> 
> Of course that looks heavier, but that opens the way for adding more
> operators (== for exact match, =~ for regexp match, <= for substring
> match), and we can think about adding functions and logical operators.
> 
> Example:
> dns(dns(machine($rcpt), "MX"), "A") >= $addr
> 
> - $rcpt would be set up as the recipient e-mail by milter-greylist
> - machine($rcpt) would be the machine part of $rcpt (after the @), that
> is: the sender address domain
> - dns(machine($rcpt), "MX") would give us the comma separated list of MX
> for the sender address domain
> - dns(dns(machine($rcpt), "MX"), "A") would give us the comma separated
> list of IP addresses for the sender address domain MX
> - $addr would be set up as the sender machine IP by milter-greylist
> - and the >= operator would check if $addr is a substring of the list of
> IP addresses for the sender address domain MX.
> 
> 
> 
> That's just rough ideas, I'm not sure there is really something to do
> with it. What do you think?
> 

This sounds quite powerful, but at the expense of config file readability.

So what about :

- have a powerful and generic engine and syntax as you proposed;
- and ability to define macros (or functions), some of the being
predefined: DNSRL, RHSL, BADMX, SENDERISMX...


Some of the basic features which may be useful :

1) predefined variables for all directly usable parameters (some of
the already implemented): sender IP, sender DNS name, envelope from
address, sender HELO string...

2) generic DNS query :
    dns(query,type)
    ex: dns("domaine.com","MX").

this function :
- may return one or several records; in case of multiple responses,
they should be treated as such, for example in an array, and not
concatenated in one string, to ease further treatment.
- should accept one or more queries of the same type ("query" shoud
accept an array): in case of multiple queries, all the responses of
all queries should be merged in the resulting array.
- if type "A" is specified, should also report "AAAA" responses; or we
could define a special type "A+" which returns both, or accept an
array of types : dns("mydomain.com",["A","AAAA"]);

3) address domain extraction (as explained in your post):
    domain("toto@...") -> "domain.com"

As above, ability to handle multiple arguments may be useful:
    domain("toto@domain.com","zozo@...") ->
["domain.com","other.mail"]

This same function, or another, may be used to strip the host name of
an FQDN:
    domain("machine.domain.com") -> "domain.com"

or maybe more generic substring extraction fonctions should be used ?
(à la Perl, or bash, or sed "s/^.*@//"...)

3bis) domain concatenation:

    addom(["toto","titi"],"mydomain.com") ->
["toto.mydomain.com","titi.mydomain.com"]

4) IP reversing (not generic string manipulation, RFC-dependent for IPv6):

    iprev(192.168.1.3) -> 3.1.168.192
    iprev(2001:660:3305::12:2f) ->
f.2.0.0.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.3.3.0.6.6.0.1.0.0.2

here also multiple arguments may be accepted.

5) various specific operators:

- regexp matching : $string =~ /abc.*de/
- string equality : $string == "abcde"
- substring matching: $string >= "abc"
- domain matching : $fqdn indomain domain.com
- IP range matching : $ip inrange 192.168.0.10/24 (without specifying
a CIDR mask, this would be an exact IP match, similar to string
equality, except it would accomodate for various IP syntaxes:
"2001:660:3305:0:0:0:0:22 inrange 2001:660:3305::22" should match)

In case arguments are multiple, these operators should match if *any*
of the arguments match. If useful, one could also add a modifier to
force matching *all* arguments: "$ips all inrange 192.168.0.10/24".

6) a syntax to define fonctions (macros) :

define badMX { dns(dns(domain(%f),"MX"),"A") inrange [192.168.0.0./16,
127.0.0.0/8, ::1/128 ...] }

define DNSL(%suffix,%range) { dns(addom(iprev(%i),%suffix),"A")
inrange %range }

define RHSL(%suffix,%range) { dns(addom(%d,%suffix),"A") inrange %range }


Of course above syntax is only an example.
But is all that worth doing in milter-greylist ? Aren't we targeting
too big ? Maybe implementing missing features (with simplified syntax
and hardcoded arguments) would suffice. Some features like badMX could
be done by other means (sendmail 8.14 handles this); the only (but
serious) advantage having it in milter-greylist is we can integrate it
in ACL system and do complex things with it (weighted greylisting,
multiple conditions...).

benoit.branciard <benoit.branciard@...> wrote:

> But is all that worth doing in milter-greylist ? Aren't we targeting
> too big ?

I'm affraid we are. If we ever want to have anything implemented, we
have to split that huge plan into smaller bits that could be added
incrementally.

What's the first step? I suspect standardizing ACL clauses on the same
syntax is a requirement for most next steps. 

CLAUSE := V OP V 
V is a quoted value or a variable ($rcpt, $to, $ip, $dns...)
OP is an operator

One of the problem I see arising is variable typing: we'll have numeric
variables and string variables. Perhaps also array and IP types, it's
hard to tell...

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...