On Sat, 30 Aug 2008 10:52:42 -0600, Jeff Ross wrote: >jared r r spiegel wrote: >> On Sat, Aug 30, 2008 at 08:30:22AM +0000, Stuart Henderson wrote: >>> In any event, it's definitely not all that unusual... >> >> seconded. >> >> the closest i've come to being able to deal with this is >> having written a script who performs SPF lookups on the >> domain in question (eg, will recurse up to a specified limit >> for things like the mx SPF method) and spits out all the IPs >> it found; then i turn around and use that as a source of >> whitelisting. >> > >I've found the list published at dnswl.org to be very helpful. > >They prefer you rsync their data to help their bandwidth. > >The postfix list was the easiest for me to massage into something I >could then stuff in with pfctl. > >Here's my simple script: > >#!/bin/sh >cd /var/db/ >/usr/local/bin/rsync --times \ > >rsync1.dnswl.org::dnswl/postfix-dnswl-permit . >if [ $? -ne 0 ] ; then > echo failure! >else > echo success! >fi >/sbin/pfctl -T delete -t whitelist -f /var/db/override.txt >cat /var/db/postfix-dnswl-permit | cut -f1 | grep -v "#" > \ >/var/db/dnswl.txt >cat /var/db/local_override.txt /var/db/dnswl.txt > /var/db/override.txt >/sbin/pfctl -T add -t whitelist -f /var/db/override.txt > > >Jeff >
I think you could do with a couple of mods to that script. a> "/sbin/pfctl -T delete -t whitelist -f /var/db/override.txt" is superfluous and, BTW, you don't need to name a file to delete a table. See 'c' below for why I think the line is not needed. b> A minor picky comment whilst I'm here: "cat /var/db/postfix-dnswl-permit | cut -f1 | grep -v "#" > /var/db/dnswl.txt" might have been more logically written swapping the grep and cut operations (and mentioning for the benefit of users with less scripting skills that maybe one or more selective uses of grep could have chosen which Trust Levels were accepted). c> The last line: " /sbin/pfctl -T add -t whitelist -f /var/db/override.txt" could be replaced by: " /sbin/pfctl -Tr -t whitelist -f /var/db/override.txt" By doing it that way you will avoid having 'whitelist' being empty for some interval (and what happens if something goes awry at that point?) and the table replace command sees to it that new addresses are added to, and retired addresses are removed from, the table. pfctl will even announce the number of additions and removals. I hope that you (and others) find those hints useful. It's all about a better experience for our community. (Offlist replies not needed, thanks. Any such reply will not arrive unless the Reply-to: address is used as only mails from the list and OpenBSD account holders are accepted at this mailbox.) Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
