[OpenIndiana-discuss] Qmail-to-go on openindiana?

Fri Apr 27 15:20:22 UTC 2012

On 4/26/12 10:53 PM, Christopher Chan wrote:
> On Thursday, April 26, 2012 08:30 PM, Gary Gendel wrote:
>> On 4/26/12 5:01 AM, Christopher Chan wrote:
>>> On 26/04/12 12:17 AM, Gary Gendel wrote:
>>>
>>>> That isn't what spamdyke is trying to accomplish here. This checks to
>>>> see if the sender is trying to spoof the MTA. What spamdyke is 
>>>> trying to
>>>> do is to blacklist emails based upon the ip address embedded in the
>>>> sending domain name. For example:
>>>>
>>>> If I get mail from 208.1.48.3 and it's reverse domain lookup 
>>>> resolves to
>>>> customer.208.001_48.3.sample.com and sample.com is on my list it is
>>>> blocked.
>>>>
>>>
>>> Again, it's available with the following configuration parameter:
>>>
>>>    check_reverse_client_hostname_access type:table
>>>
>>> Table should have key "sample.com" and RHS = REJECT, blah
>>>
>>> Table details:
>>>
>>> http://www.postfix.org/access.5.html
>>>
>> Chris, I'm still unclear on how to do this.  How could you write a 
>> regular express to check to see if the connecting ip address is 
>> buried in the reverse dns lookup.
>>
>> In my example, spamdyke would reject 
>> customer.208.001_48.3.sample.com, but 
>> customer.108.001_48.3.sample.com would not be rejected because it 
>> doesn't match the ip address of the sending MTA.  This prevents 
>> rejecting reverse dns names with strings of arbitrary numbers in them.
>
> Gary,
>
> I am sorry, but things are a bit unclear here. Is it "don't block 
> misconfigured clients but do block clients with proper rdns in this 
> domain"?
>
> What do you mean by "customer.108.001_48.3.sample.com would not be 
> rejected because it doesn't match the ip address of the sending MTA"? 
> That customer.108.001_48.3.sample.com A would not map back to the ip 
> of server whose PTR record points to customer.108.001_48.3.sample.com?

This is the scenario...

I get a connection from ip address 1.2.3.4.  The reverse DNS lookup 
returns foo.001_002-3_4.example.com.

If I have .example.com in an ip-in-rdns-keyword-blacklist option list, 
spamdyke will scan the reverse domain looking for the ip address in the 
reverse domain list, find it, and reject the mail.  Notice that it does 
a contextual scan so it recognizes that 001 is the same as 1, the 
elements can be separated by various symbols, etc.

Now, if I have a connection 1.2.3.4 and the reverse DNS lookup returns 
foo.43.1.23.4.example.com spamdyke will let that pass since the specific 
ip address would not be found.

All I was saying is that using regular expressions, I can't see how you 
could do this distinction.  The worst case would be if I did something 
draconian like putting ".net" on the list. Regular expressions would 
reject anything with the appropriate sequence of arbitrary numbers and 
punctuation whereas Spamdyke would limit it to an sequence that matches 
the sending ip. Spamdyke has a option to automatically do this for 
domains that end in country codes.  A regular expression would be overly 
optimistic and potentially reject a lot of good sending MTAs.

I also have a honeypot set up.  Any email that is received by that does 
some analysis and automatically puts it in a spamdyke blacklist, where 
it will remain as long as it isn't renewed (sent to the honeypot) before 
an expiration time is met.

I have built up a lot of infrastructure using spamdyke that gives me a 
superior spam rejection with no reported false positives.  Bottom line 
is that I'm not ready to lose this capability until I have a replacement 
for spamdyke's menu of options, ease of configuration and performance.

Gary