Several suggestions incl "Defer" for DNSBL matches

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
psfblair
Posts: 6
Joined: Sun Dec 17, 2006 10:44 am

Several suggestions incl "Defer" for DNSBL matches

Post by psfblair »

Thanks for this service; it's helping me a great deal.

Here's some things I'd like to see, or ideas I've had:

1. Allow "Defer" on DNSBL matches. Right now I prefer to have DNSBL set to "tag" rather than "reject." However, if the blacklisted domain has an SPF record, its mail then gets past my greylist filter. What I'd really like is a way to make sure that any DNSBL matches automatically get greylisted.

2. Allow "Reject" on emails from nonexistent domains -- if a domain has no MX record it might be misconfigured, and so "defer" seems appropriate. But if the domain doesn't exist at all, or if the "From:" address is just plain invalid, I'd like a reject to happen.

3. What message are rejects sent with? In most if not all cases I'd like a "mailbox does not exist" message, to protect mailboxes from probing as much as possible.

4. If you do webmail, it would be nice to have a good trainable Bayesian filter for spam. It would also be nice if the webmail allowed any spam messages to be bounced with a permanent failure: If the message has gotten this far through all the other filters, it is more likely that the sender has a mail server that would handle the bounces.

Best,

Paul
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

1.
Turn off the "Don't delay SPF 'pass'" option in the Greylist configuration.

2.
We have the Postfix options "reject_unknown_sender_domain" and "reject_non_fqdn_sender" in the main config; these options can't be disabled on a per-domain basis, so they aren't in the account manager. The MX test under client checks (http://acc.rollernet.us/mail/handling.php) is usually effective for everything else. We can look at refining the global Postfix options if something is still getting through.

3.
The actual message depends on what triggered the reject; here's some examples:

Code: Select all

too many retry attempts during greylisting period - access denied
relaying denied; can't find domain or user id
client blacklisted and can't send mail here!
User not allowed in recipient maps table (in reply to RCPT TO command)
User unknown in recipient maps table (in reply to RCPT TO command)
domain not found - relaying denied
Recipient unknown in valid users table (in reply to RCPT TO command)
Unable to validate recipient address, try again later (in reply to RCPT TO command)
Recipient rejected by final destination (in reply to RCPT TO command)
Unable to validate recipient address, try again later (in reply to RCPT TO command)
HELO/EHLO contains the same domain name as RCPT TO - rejecting.
Client name contains dynamic IP address pattern - recipient rejects dynamic IP clients.
4.
We're working on integrating Spamassassin into the system; the biggest problem so far is how to nicely handle a lot of bayes databases in a distributed system and allow them to be maintained through the account manager.
Technical Support support@rollernet.us
Roller Network LLC
psfblair
Posts: 6
Joined: Sun Dec 17, 2006 10:44 am

Post by psfblair »

With regard to #1, I realize that disabling the SPF pass would result in all the DNSBL mail going through the greylist, but it would also result in mail that is not suspect being delayed by the greylist as well. I can live with this, but it'd still be nice to have that defer option under DNSBL.
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Okay, I understand what you mean now. We can look into a "Greylist Defer" option for DNSBL matches.
Technical Support support@rollernet.us
Roller Network LLC
psfblair
Posts: 6
Joined: Sun Dec 17, 2006 10:44 am

Post by psfblair »

glendale2x wrote:Okay, I understand what you mean now. We can look into a "Greylist Defer" option for DNSBL matches.
Any status on the possibility of "Greylist Defer" for DNSBL matches?
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

We need to upgrade our caches before adding features that will cause additional load on them. We're probably looking at a week or two before we have the parts and install them. (Basically, CPU upgrades for 3 servers that currently have Celeron processors in them. They'll be getting P4's with HT.)
Technical Support support@rollernet.us
Roller Network LLC
Post Reply