Stefan Foerster:
> Now, "feature request" is actually not the right word - it's more an
> idea, and probably somebody just needs to tell me it's a bad one.
>
> With the postscreen_dnsbl_sites setting, each site administrator can
> configure a list of DNS blacklists that new SMTP connections will be
> checked against (excluding whitelisted hosts). The actual lookups are
> done by dnsblog(8), and the result ist logged by postscreen(8) similar
> to this:
>
> postfix/postscreen[3074]: DNSBL rank 3 for 210.123.30.94
>
> Would it be a good idea to extend the existing funcionality in a way
> that allows the postmaster to add a "score" for each blacklist and
> have postscreen(8) drop the connection only if a certain minimum score
> is reached (and it is configured to drop connections not passing the
> DNSBL test, of course)? Something like:
>
> postscreen_dnsbl_sites = bl-a.example.com:2
> bl-b.example.com:1
> bl-c.example.com:2
> postscreen_dnsbl_score_threshold = 3
>
> (it's probably better to use a hash: or other indexed table to
> configure those scores)
>
> This is similar to what some policy server, e.g. policyd-weight, do -
> with the added benefit that a connection would never reach a real
> smtpd(8) if the score is exceeded.
>
> Does that sound like a somewhat reasonable idea, or more like b/s?
I think that a design (the stage before code is written) should
consider how scoring would play with the other tests that postscreen
implements, and how it would play with things that I intend to add
such as light-weight greylisting.
We can model postscreen-like programs in several ways. In all cases
the program subjects each SMTP client to a number of tests (permanent
white/blacklist, RBL lookup, pregreet, greylist, other).
1) Drop the client as soon as any test fails.
2) Drop the client as soon as the combined score exceeds some
badness threshold.
3) Some other approach that may be harder to understand.
Does it make sense to score RBL results together with PREGREET?
What kinds of tests would be suitable for scoring together, and
would these make sense in a postscreen-like program? By design
postscreen is not a proxy, so it does not participate in mail
delivering SMTP sessions.
Wietse
