Milter-greylist

Hi.

I have bastion MX servers which relay incoming messages after appropriate
checks (virus, spam, standards, and greylist), but also relay outgoing
messages to the Internet from my internal network; among other things these
servers use milter-greylist.

Today, one of my users said something to me that really made me think.

  "If I send a message to someone on the Internet, then I should really
   accept mail from that address -- anybody I send a message to should be
   whitelisted, at least for some period of time."

Assuming sender@... sends a message to recipient@...,
it seems like the moral equivalent of:

 racl whitelist from recipient@... rcpt sender@...

should automatically just happen, with some configurable timeout on the
rule... ideally, in a format that the MX sync function would recognize.

This would be an action based on just the inverted sender-recipient pair,
rather than a sender-recipient-sendingIP tuple.  What it comes down to is
that there's a reasonable argument, to me, that sending a message to an
address grants permission to that address to send mail to me for some
period of time.

So... this is first a request for a sanity check and, if sane, a feature
request.  I'm willing to work on it, but really don't understand the code
to milter-greylist particularly well.  I do have more reading to do, of
course....


	-Bill
-- 
William Yang, CISSP
William.Yang@...

On Wed, Jun 24, 2009 at 07:57:27PM -0400, William Yang / CISSP wrote:
>   "If I send a message to someone on the Internet, then I should really
>    accept mail from that address -- anybody I send a message to should be
>    whitelisted, at least for some period of time."

The problem is that you don't know the IP address from which the answer 
will come. So the real modification here is to modify the autowhitelist
so that masks can be stored along with IP, and after you accept a message
<ip,from,rcpt>, you'd be optionnaly able to insert this into the database:
ip/32 from rcpt
0.0.0.0/0 rcpt from

If you decide to work on that, make sure you use the latest code, as the
autowhitelist code was heavily modified recently (autowhitelist and 
greylist are now merged)


-- 
Emmanuel Dreyfus
manu@...

> The problem is that you don't know the IP address from which the answer 

I am looking for the same thing. It doesn't matter which IP address the reply comes from. If I sent a message to someone, it means I am expecting a reply. So they should be allowed from *any* IP address (might be a configurable amount of time).

What solution can we have for this?

On Sat, 10 Oct 2009, d d wrote:

>> The problem is that you don't know the IP address from which the answer
>
> I am looking for the same thing. It doesn't matter which IP address 
> the reply comes from. If I sent a message to someone, it means I am 
> expecting a reply. So they should be allowed from *any* IP address 
> (might be a configurable amount of time).
>
> What solution can we have for this?

Not easy.  You might send an email to bashful@... and the 
response comes from grumpy@....  This behavior seems quite 
common.

There is a cost to greylisting, but for me it is certainly worth it.

Bob
--
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

--- In milter-greylist@yahoogroups.com, Bob Friesenhahn <bfriesen@...> wrote:
>
> On Sat, 10 Oct 2009, d d wrote:
> 
> >> The problem is that you don't know the IP address from which the answer
> >
> > I am looking for the same thing. It doesn't matter which IP address 
> > the reply comes from. If I sent a message to someone, it means I am 
> > expecting a reply. So they should be allowed from *any* IP address 
> > (might be a configurable amount of time).
> >
> > What solution can we have for this?
> 
> Not easy.  You might send an email to bashful@... and the 
> response comes from grumpy@...  This behavior seems quite 
> common.

That can be configurable by allowing entire domain. I checked some of my mails and that is not that common at all here. 63 senders checked, 2 have different return addresses.