You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2008/02/27 05:43:21 UTC
Quick Postfix Question [OT]
Postfix allows you to use blacklists as follows:
reject_rbl_client blacklist.junkemailfilter.com
Does Postfix allow you to use white lists? If so - what's the syntax?
I'm about to publish my whitelist for Postfix.
Re: Quick Postfix Question [OT]
Posted by Aaron Wolfe <aa...@gmail.com>.
On Wed, Feb 27, 2008 at 3:12 PM, Henrik K <he...@hege.li> wrote:
> On Wed, Feb 27, 2008 at 03:00:49PM -0500, Aaron Wolfe wrote:
> > On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx <bo...@proulx.com> wrote:
> > > Marc Perkel wrote:
> > > > It appears that Postfix only does DNS blacklists and not whitelists
> > > > then. I was going to publish my whitelist and Postfix instructions but I
> > > > guess I can't do that.
> > >
> > > That would be a better question for the postfix-users list. Probably
> > > the way to do this is with the check_policy_service functionality.
> > > The "permit" action should permit the request. I haven't created my
> > > own policy daemon though and so this is an academically derived
> > > answer. According to the manual "Policy delegation is now the
> > > preferred method for adding policies to Postfix."
> > >
> > > Bob
> > >
> > >
> >
> > Here's a hacked up version of postfix-policyd that uses the results
> > from the hostkarma rbl.
> > I'm sure it can be improved upon, but it works for me.
>
> I'm sure that works, but I seriously recommend postfwd: http://postfwd.org/
>
> You can easily use a config like:
>
> rbl=hostkarma.junkemailfilter.com/127.0.0.1; action=OK whitelisted
> rbl=hostkarma.junkemailfilter.com/127.0.0.2; action=REJECT blacklisted
> rbl=hostkarma.junkemailfilter.com/127.0.0.3; action=PREPEND X-Karma: yellow
>
> .. among many other things that are possible.
>
>
after looking at postfwd for only a few minutes, I have to agree..
don't use my messy code, use postfwd!
I will be soon.
-Aaron
Re: Quick Postfix Question [OT]
Posted by Henrik K <he...@hege.li>.
On Thu, Feb 28, 2008 at 09:39:13AM +0100, Benny Pedersen wrote:
>
> > rbl=hostkarma.junkemailfilter.com/127.0.0.1; action=OK whitelisted
>
> suggest change OK to permit_auth_destination or DUNNO
To nitpick more, ofcourse you already have reject_unauth_destination before
policy checks. Why would you want to spend time processing policy for domains
that aren't yours?
Also the point of DUNNO is a bit moot. It may as well need to be OK. You can't
generalize setups with such one-liners.
:-)
Re: Quick Postfix Question [OT]
Posted by Benny Pedersen <me...@junc.org>.
> rbl=hostkarma.junkemailfilter.com/127.0.0.1; action=OK whitelisted
suggest change OK to permit_auth_destination or DUNNO
> rbl=hostkarma.junkemailfilter.com/127.0.0.2; action=REJECT blacklisted
> rbl=hostkarma.junkemailfilter.com/127.0.0.3; action=PREPEND X-Karma: yellow
>
> .. among many other things that are possible.
:-)
Re: Quick Postfix Question [OT]
Posted by Henrik K <he...@hege.li>.
On Wed, Feb 27, 2008 at 03:00:49PM -0500, Aaron Wolfe wrote:
> On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx <bo...@proulx.com> wrote:
> > Marc Perkel wrote:
> > > It appears that Postfix only does DNS blacklists and not whitelists
> > > then. I was going to publish my whitelist and Postfix instructions but I
> > > guess I can't do that.
> >
> > That would be a better question for the postfix-users list. Probably
> > the way to do this is with the check_policy_service functionality.
> > The "permit" action should permit the request. I haven't created my
> > own policy daemon though and so this is an academically derived
> > answer. According to the manual "Policy delegation is now the
> > preferred method for adding policies to Postfix."
> >
> > Bob
> >
> >
>
> Here's a hacked up version of postfix-policyd that uses the results
> from the hostkarma rbl.
> I'm sure it can be improved upon, but it works for me.
I'm sure that works, but I seriously recommend postfwd: http://postfwd.org/
You can easily use a config like:
rbl=hostkarma.junkemailfilter.com/127.0.0.1; action=OK whitelisted
rbl=hostkarma.junkemailfilter.com/127.0.0.2; action=REJECT blacklisted
rbl=hostkarma.junkemailfilter.com/127.0.0.3; action=PREPEND X-Karma: yellow
.. among many other things that are possible.
Hostkarma List Compatibility
Posted by Marc Perkel <su...@junkemailfilter.com>.
BTW, I appreciate it that you are interested enough in my
black/white/yellow lists that you're writing code for it. If there's
anything you would like me to do on my end to make it easier let me know.
Also, I don't know if you can do this in Postfix or Spam Assassin but my
lists do more than just IP based lookups. It also has white lists and
black lists based on the host name and it's extremely effective. In Exim
it's very easy to do this but it would be nice to not limit it to just
Exim. The idea is that you get the forward confirmed hostname and look
that up in the HostKarma list. This works very well for me and if others
started doing this too I'm sure that the spam filtering community would
do it better than I am.
Re: Quick Postfix Question [OT]
Posted by Aaron Wolfe <aa...@gmail.com>.
On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx <bo...@proulx.com> wrote:
> Marc Perkel wrote:
> > It appears that Postfix only does DNS blacklists and not whitelists
> > then. I was going to publish my whitelist and Postfix instructions but I
> > guess I can't do that.
>
> That would be a better question for the postfix-users list. Probably
> the way to do this is with the check_policy_service functionality.
> The "permit" action should permit the request. I haven't created my
> own policy daemon though and so this is an academically derived
> answer. According to the manual "Policy delegation is now the
> preferred method for adding policies to Postfix."
>
> Bob
>
>
Here's a hacked up version of postfix-policyd that uses the results
from the hostkarma rbl.
I'm sure it can be improved upon, but it works for me.
# postfix-policyd-spf-perl
# http://www.openspf.org/Software
# version 2.004
#
# (C) 2007 Scott Kitterman <sc...@kitterman.com>
# (C) 2007 Julian Mehnle <ju...@mehnle.net>
# (C) 2003-2004 Meng Weng Wong <me...@pobox.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# hacked up to query hostkama
# by aaron <aa...@gmail.com>
use strict;
use IO::Handle;
use IO::Socket;
use Sys::Syslog qw(:DEFAULT setlogsock);
use NetAddr::IP;
use Net::DNS;
use Fcntl;
require "/etc/eps/config.pl";
# ----------------------------------------------------------
# configuration
# ----------------------------------------------------------
# Adding more handlers is easy:
my @HANDLERS = (
{
name => 'hostkarma_lookup',
code => \&hostkarma_lookup
},
);
my $VERBOSE = 0;
my $DEFAULT_RESPONSE = 'DUNNO';
#
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
#
my $syslog_socktype = 'unix'; # inet, unix, stream, console
my $syslog_facility = 'mail';
my $syslog_options = 'pid';
my $syslog_ident = 'postfix/hk_lookup';
use constant localhost_addresses => map(
NetAddr::IP->new($_),
qw( 127.0.0.0/8 ::ffff:127.0.0.0/104 ::1 )
); # Does Postfix ever say "client_address=::ffff:<ipv4-address>"?
use constant relay_addresses => map(
NetAddr::IP->new($_),
qw( 69.13.218.0/25 72.35.73.193/32 )
); # add addresses to qw ( ) above separated by spaces using CIDR notation.
my %results_cache; # by message instance
my $dns = Net::DNS::Resolver->new;
# ----------------------------------------------------------
# initialization
# ----------------------------------------------------------
#
# Log an error and abort.
#
sub fatal_exit {
syslog(err => "fatal_exit: @_");
syslog(warning => "fatal_exit: @_");
syslog(info => "fatal_exit: @_");
die("fatal: @_");
}
#
# Unbuffer standard output.
#
STDOUT->autoflush(1);
#
# This process runs as a daemon, so it can't log to a terminal. Use
# syslog so that people can actually see our messages.
#
setlogsock($syslog_socktype);
openlog($syslog_ident, $syslog_options, $syslog_facility);
# ----------------------------------------------------------
# main
# ----------------------------------------------------------
#
# Receive a bunch of attributes, evaluate the policy, send the result.
#
my %attr;
while (<STDIN>) {
chomp;
if (/=/) {
my ($key, $value) =split (/=/, $_, 2);
$attr{$key} = $value;
next;
}
elsif (length) {
syslog(warning => sprintf("warning: ignoring garbage: %.100s", $_));
next;
}
if ($VERBOSE) {
for (sort keys %attr) {
syslog(debug => "Attribute: %s=%s", $_, $attr{$_});
}
}
my $message_instance = $attr{instance};
my $cache = defined($message_instance) ?
$results_cache{$message_instance} ||= {} : {};
my $action = $DEFAULT_RESPONSE;
foreach my $handler (@HANDLERS) {
my $handler_name = $handler->{name};
my $handler_code = $handler->{code};
my $response = $handler_code->(attr => \%attr, cache => $cache);
if ($VERBOSE) {
syslog(debug => "handler %s: %s", $handler_name, $response);
}
# Pick whatever response is not 'DUNNO'
if ($response and $response !~ /^DUNNO/i) {
# syslog(info => "handler %s: is decisive.", $handler_name);
$action = $response;
last;
}
}
syslog(info => "%s: Policy action=%s", $attr{queue_id}, $action);
STDOUT->print("action=$action\n\n");
%attr = ();
}
# ---------------------------------------
# hostkarma lookup
# ---------------------------------------
sub hostkarma_lookup
{
local %_ = @_;
my %attr = %{ $_{attr} };
my $result = "DUNNO";
my $color = "pink";
if ( $attr{client_address} =~ m/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/ )
{
my $laddr = "$4.$3.$2.$1.hostkarma.junkemailfilter.com";
my $query = $dns->query($laddr, "A");
if ($query)
{
foreach my $rr (grep { $_->type eq 'A' } $query->answer)
{
if ($rr->address eq '127.0.0.1')
{
# whitelisted
$result = "OK";
$color = "white";
}
elsif ($rr->address eq '127.0.0.2')
{
# blacklisted
$result = "REJECT $attr{client_address} is blacklisted at
hostkarma.junkemailfilter.com";
$color = "black";
}
elsif ($rr->address eq '127.0.0.3')
{
# yellow listed
$result = "PREPEND X-Hostkarma: Yellowlisted ($attr{client_address})";
$color = "yellow";
}
elsif ($rr->address eq '127.0.0.4')
{
# brown listed
$result = "PREPEND X-Hostkarma: Brownlisted ($attr{client_address})";
$color = "brown";
}
# syslog(info => "%s: HostKarma says %s is %s listed",
$attr{queue_id}, $attr{client_address}, $color );
}
}
}
return($result);
}
Re: Quick Postfix Question [OT]
Posted by Bob Proulx <bo...@proulx.com>.
Marc Perkel wrote:
> It appears that Postfix only does DNS blacklists and not whitelists
> then. I was going to publish my whitelist and Postfix instructions but I
> guess I can't do that.
That would be a better question for the postfix-users list. Probably
the way to do this is with the check_policy_service functionality.
The "permit" action should permit the request. I haven't created my
own policy daemon though and so this is an academically derived
answer. According to the manual "Policy delegation is now the
preferred method for adding policies to Postfix."
Bob
Re: Quick Postfix Question [OT]
Posted by Benny Pedersen <me...@junc.org>.
> It appears that Postfix only does DNS blacklists and not whitelists
> then. I was going to publish my whitelist and Postfix instructions but I
> guess I can't do that.
http://linux.softpedia.com/get/Communications/Email-Filters/maRBL-16435.shtml
this link helps :-)
test for rbl blacklist and if not listed make a whitelist action class
result on this as a class in postfix
Re: Quick Postfix Question [OT]
Posted by Marc Perkel <ma...@perkel.com>.
Matthias Leisi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> mouss schrieb:
>
> |> Does Postfix allow you to use white lists? If so - what's the syntax?
> |> I'm about to publish my whitelist for Postfix.
> |>
> |
> | No. DNSWL offer an rsync access.
>
> That's the exact reason we offer rsync access *to a specially formatted
> file* (see http://www.dnswl.org/tech#postfix and
> http://groups.google.com/group/list.postfix.users/browse_thread/thread/4fa72d11f61029c3/94f8969818d6a7c8)
>
>
It appears that Postfix only does DNS blacklists and not whitelists
then. I was going to publish my whitelist and Postfix instructions but I
guess I can't do that.
Re: Quick Postfix Question [OT]
Posted by mouss <mo...@netoyen.net>.
Matthias Leisi wrote:
>
>
> mouss schrieb:
>
> |> Does Postfix allow you to use white lists? If so - what's the syntax?
> |> I'm about to publish my whitelist for Postfix.
> |>
> |
> | No. DNSWL offer an rsync access.
>
> That's the exact reason we offer rsync access *to a specially formatted
> file* (see http://www.dnswl.org/tech#postfix and
> http://groups.google.com/group/list.postfix.users/browse_thread/thread/4fa72d11f61029c3/94f8969818d6a7c8)
and that's much appreciated.
Thank's a lot.
Re: Quick Postfix Question [OT]
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
mouss schrieb:
|> Does Postfix allow you to use white lists? If so - what's the syntax?
|> I'm about to publish my whitelist for Postfix.
|>
|
| No. DNSWL offer an rsync access.
That's the exact reason we offer rsync access *to a specially formatted
file* (see http://www.dnswl.org/tech#postfix and
http://groups.google.com/group/list.postfix.users/browse_thread/thread/4fa72d11f61029c3/94f8969818d6a7c8)
- -- Matthias, for dnswl.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFHxWK3xbHw2nyi/okRAiWKAJ4mx/2oRoMxZm9EKrgtMYs7FcE2wwCgk0kS
IRecrQARnj9WRxgqMK0PjmM=
=Fd9W
-----END PGP SIGNATURE-----
Re: Quick Postfix Question [OT]
Posted by mouss <mo...@netoyen.net>.
Marc Perkel wrote:
> Postfix allows you to use blacklists as follows:
>
> reject_rbl_client blacklist.junkemailfilter.com
>
> Does Postfix allow you to use white lists? If so - what's the syntax?
> I'm about to publish my whitelist for Postfix.
>
No. DNSWL offer an rsync access. This is better for performances and for
DoS.
for postfix related questions, please use the postfix-users list.