Several suggestions incl "Defer" for DNSBL matches

[psfblair]

Thanks for this service; it's helping me a great deal.

Here's some things I'd like to see, or ideas I've had:

1. Allow "Defer" on DNSBL matches. Right now I prefer to have DNSBL set to "tag" rather than "reject." However, if the blacklisted domain has an SPF record, its mail then gets past my greylist filter. What I'd really like is a way to make sure that any DNSBL matches automatically get greylisted.

2. Allow "Reject" on emails from nonexistent domains -- if a domain has no MX record it might be misconfigured, and so "defer" seems appropriate. But if the domain doesn't exist at all, or if the "From:" address is just plain invalid, I'd like a reject to happen.

3. What message are rejects sent with? In most if not all cases I'd like a "mailbox does not exist" message, to protect mailboxes from probing as much as possible.

4. If you do webmail, it would be nice to have a good trainable Bayesian filter for spam. It would also be nice if the webmail allowed any spam messages to be bounced with a permanent failure: If the message has gotten this far through all the other filters, it is more likely that the sender has a mail server that would handle the bounces.

Best,

Paul

[RollerNetSupport]

1.
Turn off the "Don't delay SPF 'pass'" option in the Greylist configuration.

2.
We have the Postfix options "reject_unknown_sender_domain" and "reject_non_fqdn_sender" in the main config; these options can't be disabled on a per-domain basis, so they aren't in the account manager. The MX test under client checks (http://acc.rollernet.us/mail/handling.php) is usually effective for everything else. We can look at refining the global Postfix options if something is still getting through.

3.
The actual message depends on what triggered the reject; here's some examples:

Code: Select all

too many retry attempts during greylisting period - access denied
relaying denied; can't find domain or user id
client blacklisted and can't send mail here!
User not allowed in recipient maps table (in reply to RCPT TO command)
User unknown in recipient maps table (in reply to RCPT TO command)
domain not found - relaying denied
Recipient unknown in valid users table (in reply to RCPT TO command)
Unable to validate recipient address, try again later (in reply to RCPT TO command)
Recipient rejected by final destination (in reply to RCPT TO command)
Unable to validate recipient address, try again later (in reply to RCPT TO command)
HELO/EHLO contains the same domain name as RCPT TO - rejecting.
Client name contains dynamic IP address pattern - recipient rejects dynamic IP clients.

4.
We're working on integrating Spamassassin into the system; the biggest problem so far is how to nicely handle a lot of bayes databases in a distributed system and allow them to be maintained through the account manager.

[psfblair]

With regard to #1, I realize that disabling the SPF pass would result in all the DNSBL mail going through the greylist, but it would also result in mail that is not suspect being delayed by the greylist as well. I can live with this, but it'd still be nice to have that defer option under DNSBL.

[RollerNetSupport]

Okay, I understand what you mean now. We can look into a "Greylist Defer" option for DNSBL matches.

[psfblair]

Okay, I understand what you mean now. We can look into a "Greylist Defer" option for DNSBL matches.

Any status on the possibility of "Greylist Defer" for DNSBL matches?

[RollerNetSupport]

We need to upgrade our caches before adding features that will cause additional load on them. We're probably looking at a week or two before we have the parts and install them. (Basically, CPU upgrades for 3 servers that currently have Celeron processors in them. They'll be getting P4's with HT.)