jared r r spiegel wrote:
On Sat, Aug 30, 2008 at 08:30:22AM +0000, Stuart Henderson wrote:
In any event, it's definitely not all that unusual...
seconded.
the closest i've come to being able to deal with this is
having written a script who performs SPF lookups on the
domain in question (eg, will recurse up to a specified limit
for things like the mx SPF method) and spits out all the IPs
it found; then i turn around and use that as a source of
whitelisting.
I've found the list published at dnswl.org to be very helpful.
They prefer you rsync their data to help their bandwidth.
The postfix list was the easiest for me to massage into something I
could then stuff in with pfctl.
Here's my simple script:
#!/bin/sh
cd /var/db/
/usr/local/bin/rsync --times \
rsync1.dnswl.org::dnswl/postfix-dnswl-permit .
if [ $? -ne 0 ] ; then
echo failure!
else
echo success!
fi
/sbin/pfctl -T delete -t whitelist -f /var/db/override.txt
cat /var/db/postfix-dnswl-permit | cut -f1 | grep -v "#" > \
/var/db/dnswl.txt
cat /var/db/local_override.txt /var/db/dnswl.txt > /var/db/override.txt
/sbin/pfctl -T add -t whitelist -f /var/db/override.txt
Jeff
