Milter-greylist

I would like to whitelist email received from a DNS address 
(foo.dynip.com) which resolves to a dynamic IP address (and possibly a 
different one the next time you look).

How do I do this?

Also, what is the difference between greylist.conf commands acl, racl, 
dacl?  The web page http://linux.die.net/man/5/greylist.conf doesn't 
mention the latter two commands.  Where else should I look?

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

Bob Smith wrote:
> I would like to whitelist email received from a DNS address 
> (foo.dynip.com) which resolves to a dynamic IP address (and possibly a 
> different one the next time you look).
> 
> How do I do this?

AFAIK, there's nothing that currently supports this in milter-greylist. Can you 
use SMTP auth or TLS?


> Also, what is the difference between greylist.conf commands acl, racl, 
> dacl? 

acl is the old syntax, pre 3.1.3 and is the same as racl.

racl is ACLs applied at the time of the SMTP RCPT TO: command (ie: before any 
email is transfered). It is advisable to use these where possible. However, it 
is limited to acting on the sender's IP, reverse DNS, HELO, Mail From: (aka 
return-path) and RCPT TO: contents.

dacl is ACLs applied at the end of the DATA phase of the SMTP session (ie: after 
the email has been transfered). This allows milter-greylist to examine things 
like body text. However, it comes at a penalty of only running after the email 
is transfered, and AFAIK it does not support the greylist action. (greylisting 
at the data phase would likely result in a traffic flood anyway, so you do NOT 
want to do this. Ever.)


> The web page http://linux.die.net/man/5/greylist.conf doesn't 
> mention the latter two commands.

That's because it's the manpage for an older version of milter-greylist that 
didn't support racl/dacl.

>  Where else should I look?

On your system run:

man greylist.conf

That will give you the manpage for YOUR version of milter-greylist, not some 
arbitrary version that die.net is using.

Bob Smith <bsmith@...> wrote:

> I would like to whitelist email received from a DNS address 
> (foo.dynip.com) which resolves to a dynamic IP address (and possibly a
> different one the next time you look).

racl whitelist domain foo.dynip.com

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Wed, Feb 27, 2008 at 05:01:57AM +0100, Emmanuel Dreyfus wrote:
> > I would like to whitelist email received from a DNS address 
> > (foo.dynip.com) which resolves to a dynamic IP address (and possibly a
> > different one the next time you look).
> 
> racl whitelist domain foo.dynip.com

"domain" uses the rDNS, doesn't it? That won't work in that case because
"dynip" hosts have rDNS setup my the ISP.

	Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/

Bob Smith wrote on Tue, 26 Feb 2008 17:58:28 -0500:

> I would like to whitelist email received from a DNS address 
> (foo.dynip.com) which resolves to a dynamic IP address (and possibly a 
> different one the next time you look).

You are talking about a specific host, right? Why not use the from domain?

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

manu@... wrote:
> 
> 
> Bob Smith <bsmith@... <mailto:bsmith%40sudleyplace.com>> wrote:
> 
>  > I would like to whitelist email received from a DNS address
>  > (foo.dynip.com) which resolves to a dynamic IP address (and possibly a
>  > different one the next time you look).
> 
> racl whitelist domain foo.dynip.com

I thought that mechanism matches the text "foo.dynip.com" to the base of 
all sending domains.

In the case I'm trying to cover, no email is sent with "foo.dynip.com" 
in it.  That address represents the dynamic IP of my home machine from 
which email is sent using an address of bsmith@....

I want to whitelist email sent from my home machine.

I presume that such a mechanism would need to include a periodic lookup 
of the dynamic IP to refresh the value.  Sort of a

racl whitelist dns foo.dynip.com lookup 3h

I appreciate that milter-greylist might not support this as yet, but is 
that a reasonable syntax or would you suggest something else?

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

On Wed, Feb 27, 2008 at 10:23:04AM -0500, Bob Smith wrote:
> > racl whitelist domain foo.dynip.com
> I thought that mechanism matches the text "foo.dynip.com" to the base of 
> all sending domains.

The domain clause match against the DNS address of the sender machine.

-- 
Emmanuel Dreyfus
manu@...

Emmanuel Dreyfus wrote:
> 
> 
> On Wed, Feb 27, 2008 at 10:23:04AM -0500, Bob Smith wrote:
>  > > racl whitelist domain foo.dynip.com
>  > I thought that mechanism matches the text "foo.dynip.com" to the base of
>  > all sending domains.
> 
> The domain clause match against the DNS address of the sender machine.

Excellent!

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

Emmanuel Dreyfus wrote:
> 
> 
> On Wed, Feb 27, 2008 at 10:23:04AM -0500, Bob Smith wrote:
>  > > racl whitelist domain foo.dynip.com
>  > I thought that mechanism matches the text "foo.dynip.com" to the base of
>  > all sending domains.
> 
> The domain clause match against the DNS address of the sender machine.

I've been thinking about this and am even more confused.

Q1.  Does the domain match do a DNS lookup to get the matching IP 
address each time it is asked to compare against the sender's IP address?

Q2.  I looked at the code in acl.c and it appears that the match routine 
for "domain" is acl_domain_cmp which compares two strings, 
back-to-front.  I don't see any DNS lookup there.  You certainly know 
the code much, much better than I do, so what am I missing?

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

Bob Smith <bsmith@...> wrote:

> Q1.  Does the domain match do a DNS lookup to get the matching IP 
> address each time it is asked to compare against the sender's IP address?
> 
> Q2.  I looked at the code in acl.c and it appears that the match routine
> for "domain" is acl_domain_cmp which compares two strings, 
> back-to-front.  I don't see any DNS lookup there.  You certainly know
> the code much, much better than I do, so what am I missing?

Sendmail does the DNS lookup and hands it to every milter. It makes much
more sense than having each milter performing the same DNS request ever
and ever.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

manu@... wrote:
> 
> 
> Bob Smith <bsmith@... <mailto:bsmith%40sudleyplace.com>> wrote:
> 
>  > Q1. Does the domain match do a DNS lookup to get the matching IP
>  > address each time it is asked to compare against the sender's IP address?
>  >
>  > Q2. I looked at the code in acl.c and it appears that the match routine
>  > for "domain" is acl_domain_cmp which compares two strings,
>  > back-to-front. I don't see any DNS lookup there. You certainly know
>  > the code much, much better than I do, so what am I missing?
> 
> Sendmail does the DNS lookup and hands it to every milter. It makes much
> more sense than having each milter performing the same DNS request ever
> and ever.

Sorry, but I must be really thick.  How is that Sendmail does a lookup 
on the DNS entry for (say) foo.dynip.com when that text never appears in 
the email?  At what point does any part of the system obtain the IP 
address for foo.dynip.com when the only place it appears is in

racl whitelist domain foo.dynip.com

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

Bob Smith <bsmith@...> wrote:

> Sorry, but I must be really thick.  How is that Sendmail does a lookup
> on the DNS entry for (say) foo.dynip.com when that text never appears in
> the email? 

sendmail perform a DNS lookup on the IP address of the incoming SMTP
connexion (a la getpeername(3)).
-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

manu@... wrote:
> 
> 
> Bob Smith <bsmith@... <mailto:bsmith%40sudleyplace.com>> wrote:
> 
>  > Sorry, but I must be really thick. How is that Sendmail does a lookup
>  > on the DNS entry for (say) foo.dynip.com when that text never appears in
>  > the email?
> 
> sendmail perform a DNS lookup on the IP address of the incoming SMTP
> connexion (a la getpeername(3)).

That's fine.  But I asked who does a DNS lookup on the IP address of 
foo.dynip.com so it can be compared to the IP address of the incoming 
SMTP connection?

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

wrote on Thu, 28 Feb 2008 04:43:45 +0100:

> sendmail perform a DNS lookup on the IP address of the incoming SMTP
> connexion (a la getpeername(3)).

But the lookup will reveal a different hostname each time. It will not 
resolve to foo.dynip.com. So, I think the solution is whitelist by sender.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Bob Smith wrote:
> manu@... wrote:
>>
>> Bob Smith <bsmith@... <mailto:bsmith%40sudleyplace.com>> wrote:
>>
>>  > Sorry, but I must be really thick. How is that Sendmail does a lookup
>>  > on the DNS entry for (say) foo.dynip.com when that text never appears in
>>  > the email?
>>
>> sendmail perform a DNS lookup on the IP address of the incoming SMTP
>> connexion (a la getpeername(3)).
> 
> That's fine.  But I asked who does a DNS lookup on the IP address of 
> foo.dynip.com so it can be compared to the IP address of the incoming 
> SMTP connection?
> 

Nobody.

Matt Kettler a \ufffdcrit :
> Bob Smith wrote:
>> manu@... wrote:
>>> Bob Smith <bsmith@... <mailto:bsmith%40sudleyplace.com>> wrote:
>>>
>>>  > Sorry, but I must be really thick. How is that Sendmail does a lookup
>>>  > on the DNS entry for (say) foo.dynip.com when that text never appears in
>>>  > the email?
>>>
>>> sendmail perform a DNS lookup on the IP address of the incoming SMTP
>>> connexion (a la getpeername(3)).
>> That's fine.  But I asked who does a DNS lookup on the IP address of 
>> foo.dynip.com so it can be compared to the IP address of the incoming 
>> SMTP connection?
>>
> 
> Nobody.
> 

in milter-greylist 4.0+, you may implement it yourself with an 
"ulrcheck" clause and a small external app which does the foo.dynip.com 
DNS lookup, compares it to the client IP and returns the expected status.

But depending the load of your server and the technology you use, 
performance may be less than optimal, since you must call it for *every* 
incoming message.

-- 
Ce message a ete verifie par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ete trouve.

Benoit Branciard wrote:
> 
> 
> Matt Kettler a \ufffdcrit :
>  > Bob Smith wrote:
>  >> manu@... <mailto:manu%40netbsd.org> wrote:
>  >>> Bob Smith <bsmith@... <mailto:bsmith%40sudleyplace.com> 
> <mailto:bsmith%40sudleyplace.com>> wrote:
>  >>>
>  >>> > Sorry, but I must be really thick. How is that Sendmail does a lookup
>  >>> > on the DNS entry for (say) foo.dynip.com when that text never 
> appears in
>  >>> > the email?
>  >>>
>  >>> sendmail perform a DNS lookup on the IP address of the incoming SMTP
>  >>> connexion (a la getpeername(3)).
>  >> That's fine. But I asked who does a DNS lookup on the IP address of
>  >> foo.dynip.com so it can be compared to the IP address of the incoming
>  >> SMTP connection?
>  >>
>  >
>  > Nobody.
>  >
> 
> in milter-greylist 4.0+, you may implement it yourself with an
> "ulrcheck" clause and a small external app which does the foo.dynip.com
> DNS lookup, compares it to the client IP and returns the expected status.
> 
> But depending the load of your server and the technology you use,
> performance may be less than optimal, since you must call it for *every*
> incoming message.

I was thinking of something like

racl whitelist dns foo.dynip.com lookup 3h

to ease the load.  The actual IP address which corresponds to 
foo.dynip.com changes only when my home machine reboots and thus 
acquires another dynamic IP address.  This is uncommon enough that a 
check on every incoming message is way too drastic.

Is this design reasonable, or would you suggest something else?

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

On Thu, Feb 28, 2008 at 6:57 PM, Bob Smith <bsmith@...> wrote:
>  I was thinking of something like
>
>  racl whitelist dns foo.dynip.com lookup 3h
>
>  to ease the load.  The actual IP address which corresponds to
>  foo.dynip.com changes only when my home machine reboots and thus
>  acquires another dynamic IP address.  This is uncommon enough that a
>  check on every incoming message is way too drastic.
>
>  Is this design reasonable, or would you suggest something else?

Why don't you just whitelist your sender address?

racl whitelist from bob@...

Sure, your address can be faked by a spammer but greylisting is just
your first defense, right?

-- 
/peter

Bob Smith <bsmith@...> wrote:

> This is uncommon enough that a 
> check on every incoming message is way too drastic.

Well, if you perform multiple similar DNS requests, they should not go
beyond the cache of your DNS server...

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

manu@... wrote:
> Bob Smith <bsmith@...> wrote:
> 
>> This is uncommon enough that a 
>> check on every incoming message is way too drastic.
> 
> Well, if you perform multiple similar DNS requests, they should not go
> beyond the cache of your DNS server...

It's a dyndns.org hostname, the TTL is very short as a result, so the cache 
isn't going to help you.

Bob Smith wrote:

> I was thinking of something like
> 
> racl whitelist dns foo.dynip.com lookup 3h
> 
> to ease the load.

So, you're trying to use milter-greylist's database to get around the fact that 
the DNS entry that has a very short TTL. I don't know that's a good solution 
from a technical correctness point of view. It's essentially a dirty, ugly hack.

>  The actual IP address which corresponds to 
> foo.dynip.com changes only when my home machine reboots and thus 
> acquires another dynamic IP address.  This is uncommon enough that a 
> check on every incoming message is way too drastic.
> 
> Is this design reasonable, or would you suggest something else?

If you can, I would suggest using SMTP AUTH or TLS instead. That would work no 
matter what your home IP address is, or how often it changes.

On the bonus side, you can also use the SMTP AUTH on your MTA to allow relaying, 
if you need it, without making your server an open relay.

Fundamentally, I think the whole approach of trying to use forward DNS of a 
dyndns.org name to see if a particular host is your home pc is a bad solution. 
"round peg in badly hacked into square hole" comes to mind here.

Get your home PC to authenticate connections or at least identify itself with a 
SSL certificate. That's what these features of SMTP exist for. SMTP AUTH was 
created largely to identify authorized users that wander around across different 
IPs.

TLS has a lot of other uses, but it's a DAMN solid way to validate a server is 
who it says without having to trust its IP. It has the advantage of being 
server-centric instead of user centric like SMTP AUTH.

Depending on what your home PC is doing one or the other should work. If it's 
running an email client, use SMTP AUTH. If it's running an email server, use TLS.

Matt Kettler <mkettler@...> wrote:

> If you can, I would suggest using SMTP AUTH or TLS instead. That would work no
> matter what your home IP address is, or how often it changes.

Indeed, that makes much more sense.

> On the bonus side, you can also use the SMTP AUTH on your MTA to allow
> relaying, if you need it, without making your server an open relay.

While we are on this topic: how do you tell sendmail to allow relaying
when SMTP AUTH or STARTTLS was validated? 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

> Matt Kettler <mkettler@...> wrote:
> 
> > If you can, I would suggest using SMTP AUTH or TLS instead. That would work no
> > matter what your home IP address is, or how often it changes.
> 
> Indeed, that makes much more sense.
> 
> > On the bonus side, you can also use the SMTP AUTH on your MTA to allow
> > relaying, if you need it, without making your server an open relay.
> 
> While we are on this topic: how do you tell sendmail to allow 
> relaying when SMTP AUTH or STARTTLS was validated?

dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl

There are of course other options you can put there, but that's the default
for sendmail.mc

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
------- End of Original Message -------

On Fri, Feb 29, 2008 at 06:48:50PM +1000, Michael Mansour wrote:
> dnl # The following allows relaying if the user authenticates, and disallows
> dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
> dnl define(`confAUTH_OPTIONS', `A p')dnl

Well, I have A p y (y disables anonymous login), but sendmail still refuses
relaying for authenticated users.

-- 
Emmanuel Dreyfus
manu@...

Hi Emmanuel,

> On Fri, Feb 29, 2008 at 06:48:50PM +1000, Michael Mansour wrote:
> > dnl # The following allows relaying if the user authenticates, and disallows
> > dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
> > dnl define(`confAUTH_OPTIONS', `A p')dnl
> 
> Well, I have A p y (y disables anonymous login), but sendmail still refuses
> relaying for authenticated users.

In my production environment, I have:

define(`confAUTH_OPTIONS', `A y')dnl

and sendmail accepts authenticated users.

What I showed int he previous email was just defaults, which are commented out
"dnl in front" so not something I use in production.

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> manu@...
------- End of Original Message -------

Emmanuel Dreyfus wrote:
> On Fri, Feb 29, 2008 at 06:48:50PM +1000, Michael Mansour wrote:
>> dnl # The following allows relaying if the user authenticates, and disallows
>> dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
>> dnl define(`confAUTH_OPTIONS', `A p')dnl
> 
> Well, I have A p y (y disables anonymous login), but sendmail still refuses
> relaying for authenticated users.
> 

IIRC you need to not just support it as an AUTH_OPTION, but also have a 
TRUST_AUTH_MECH.

Check out

http://www.joreybump.com/code/howto/smtpauth.html

Which is a combo of SMTP auth and TLS.

Matt Kettler wrote:
> 
> 
> Bob Smith wrote:
> 
>  > I was thinking of something like
>  >
>  > racl whitelist dns foo.dynip.com lookup 3h
>  >
>  > to ease the load.

[...]

> Depending on what your home PC is doing one or the other should work. If 
> it's
> running an email client, use SMTP AUTH. If it's running an email server, 
> use TLS.

Thanks for the suggestion -- SMTP AUTH works and is a much better solution.

-- 
_______________________________________________________________
Bob Smith - bsmith@... - http://www.sudleyplace.com

Matt Kettler <mkettler@...> wrote:

> IIRC you need to not just support it as an AUTH_OPTION, but also have a
> TRUST_AUTH_MECH.

Well, I have it. My sendmail.cf has:

O AuthOptions=A p y 
C{TrustAuthMech}LOGIN PLAIN
O AuthMechanisms=LOGIN PLAIN

Authentication works (over SSL), but authenticated users still have
relaying denied.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...