On Mon, Jan 18, 2010 at 12:25:54PM -0500, Victor Duchovni wrote: > On Mon, Jan 18, 2010 at 07:01:45PM +0200, Henrik K wrote: > > > I think I prefer a separate daemon that tails postfix log and greps all > > to=xxx, relay=xxx info and passes it to the policy daemon. That way the > > policy daemon doesn't need to have a big DNS mess to resolve all the > > recipient MX ips. > > MX IPs have nothing to do with it. A sender's sending IP often bears > little relation to the IP where mail for the same address is delivered.
How about showing some of your stats for this silly claim? Here, have mine: - Domain == lowercase @(.+) - One week of logs - Local domains removed from lists (so no spoofed spams etc) - Total recipient domains: 4729 - Sender domains found from recipient domain list: 2954 - Hits (sender relay/24 == recipient relay): 1597 - Hits (sender relay/32 == recipient relay): 901 So even with exact IP, we have 31% (901/2954) hit rate for domains!! > If you whitelist an outside sender address for a given internal recipient > (original sender), no IP or DNS information is appropriate or required. And the hit rate would be stupidly low. As I said, I'm looking for a more generic whitelisting to bypass MTA checks. Stupid SOHOs with dynamicish PTRs etc are common, same Exchange boxes sending and receiving mails. If some IP receives mail (possible for many domains), there's a _pretty high_ possibility of it being legimate and canditate for skipping SOME checks.
