Milter-greylist

Hello List!
I am just curious - is it possible to whitelist ANY senders who used
encryption (STARTTLS) to send a mail?
I mean whitelist even those whose signature failed to verify.

The reason is that I think spammers would use starttls session very
seldom so it could be quite safe to whitelist anyone willing to starttls.

Thanks!
Ondrej

Looking into the source codes I see there is no support for this yet.
Here is my patch to enable it:

--- acl_.c      2007-11-11 12:57:19.000000000 +0100
+++ acl.c       2008-02-19 15:02:19.000000000 +0100
@@ -773,13 +773,19 @@
        char *verify;
        char *dn;

-       if (((verify = smfi_getsymval(priv->priv_ctx, "{verify}")) ==
NULL) ||
-           (strcmp(verify, "OK") != 0) ||
-           ((dn = smfi_getsymval(priv->priv_ctx, "{cert_subject}"))
== NULL))
+       if ((verify = smfi_getsymval(priv->priv_ctx, "{verify}")) !=
NULL) {
+           // "racl tls any" support - match anyone willing to
STARTTLS - even those MTA's without a private certificate to present
+           if ((strcmp("any", ad->string) == 0) &&
+               ((strcmp(verify, "OK") != 0) || (strcmp(verify, "NO")
!= 0)))
+               return 1;
+
+           if ((strcmp(verify, "OK") != 0) ||
+               ((dn = smfi_getsymval(priv->priv_ctx,
"{cert_subject}")) == NULL))
                return 0;

-       if (strcmp(dn, ad->string) == 0)
+           if (strcmp(dn, ad->string) == 0)
                return 1;
+       }

        return 0;
 }


It basically introduce clause 'acl tls "any"' which address anyone
willing to STARTTLS and even those who have no private certificate to
present.
Can this go into the main stream? ;-)
Thanks,

Ondrej

On Tue, Feb 19, 2008 at 02:16:38PM -0000, ondrej_v0 wrote:
> Looking into the source codes I see there is no support for this yet.
> Here is my patch to enable it:

How is that different from matching against a wildcard regex?
racl tls /.*/ 

-- 
Emmanuel Dreyfus
manu@...

Very different:
1. racl tls /.*/ won't work. You probably wanted to say racl tls_re /.*/
2. It only work for those who present their private certificate which
is very, very rare. In most cases MTA's have no private certificate
3. My fix enable to whitelist even those w/o a private certificate...

Ondrej
--- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@...> wrote:

>
> On Tue, Feb 19, 2008 at 02:16:38PM -0000, ondrej_v0 wrote:
> > Looking into the source codes I see there is no support for this yet.
> > Here is my patch to enable it:
> 
> How is that different from matching against a wildcard regex?
> racl tls /.*/ 
> 
> -- 
> Emmanuel Dreyfus
> manu@...
>

On Tue, Feb 19, 2008 at 02:29:16PM -0000, ondrej_v0 wrote:
> Very different:
> 1. racl tls /.*/ won't work. You probably wanted to say racl tls_re /.*/
> 2. It only work for those who present their private certificate which
> is very, very rare. In most cases MTA's have no private certificate
> 3. My fix enable to whitelist even those w/o a private certificate...

What about mathing clients that do not present a certificate? That way, 
you can match any certificate, including none (with two ACL), and you 
can also allow TLS with a certificate but not TLS without a certificate.

-- 
Emmanuel Dreyfus
manu@...

--- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@...> wrote:
>
> On Tue, Feb 19, 2008 at 02:29:16PM -0000, ondrej_v0 wrote:
> > Very different:
> > 1. racl tls /.*/ won't work. You probably wanted to say racl
tls_re /.*/
> > 2. It only work for those who present their private certificate which
> > is very, very rare. In most cases MTA's have no private certificate
> > 3. My fix enable to whitelist even those w/o a private certificate...
> 
> What about mathing clients that do not present a certificate? That way, 
> you can match any certificate, including none (with two ACL), and you 
> can also allow TLS with a certificate but not TLS without a certificate.
> 
> -- 
> Emmanuel Dreyfus
> manu@...
>

Show me the example.
Anyway I doubt you can do it - take a look at the source codes - there
is hardcoded Verify=yes which means a private certificate is required.....

ondrej_v0 <ondrej_v0@...> wrote:

> Show me the example.
> Anyway I doubt you can do it - take a look at the source codes - there
> is hardcoded Verify=yes which means a private certificate is required.....

Something like this?
racl whitelist tls_re /.*/
racl blacklist tls none


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

No,
This won't work - first line only catches anyone with a private
certificate that was successfully verified (= the default behavior)
and the second line does not make any sense... (again, look at acl.c
for more details)
Ondrej

--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> ondrej_v0 <ondrej_v0@...> wrote:
> 
> > Show me the example.
> > Anyway I doubt you can do it - take a look at the source codes - there
> > is hardcoded Verify=yes which means a private certificate is
required.....

> 
> Something like this?
> racl whitelist tls_re /.*/
> racl blacklist tls none
> 
> 
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
>

ondrej_v0 <ondrej_v0@...> wrote:

> Can this go into the main stream? ;-)

Mmmm.... Sorry to be picky about it, but isn't it equivalent to this?

sm_macro "tls_ok" "{verify}'" "OK"
sm_macro "tls_no" "{verify}" "NO"
racl whitelist no sm_macro "tls_ok" no sm_macro "tls_no"

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

Ok you are right, this approach works - so my patch is actually not
necessary.
Anyway - many good configuration ideas (like the HELO check) appeared in
this list.
Maybe it would make a sense to collect them into some sample config file
so people know what is everything possible.

Thanks,
Ondrej

manu@... wrote:

>
> ondrej_v0 <ondrej_v0@... <mailto:ondrej_v0%40yahoo.com>> wrote:
>
> > Can this go into the main stream? ;-)
>
> Mmmm.... Sorry to be picky about it, but isn't it equivalent to this?
>
> sm_macro "tls_ok" "{verify}'" "OK"
> sm_macro "tls_no" "{verify}" "NO"
> racl whitelist no sm_macro "tls_ok" no sm_macro "tls_no"
>
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz <http://hcpnet.free.fr/pubz>
> manu@... <mailto:manu%40netbsd.org>
>
>

Ondrej Valousek <webserv@...> wrote:

> Ok you are right, this approach works - so my patch is actually not
> necessary.
> Anyway - many good configuration ideas (like the HELO check) appeared in
> this list.
> Maybe it would make a sense to collect them into some sample config file
> so people know what is everything possible.

Indeed, we need a wiki for users to drop random config snipets. Would
you like to start it up? I will add a link to it from the web site.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Mon, Feb 25, 2008 at 1:42 PM,  <manu@...> wrote:
>  Indeed, we need a wiki for users to drop random config snipets. Would
>  you like to start it up? I will add a link to it from the web site.

I just registered http://milter-greylist.wikidot.com/. :-)

-- 
/peter