Erik Logtenberg:
> >> Is there a possibility to use a DNS-based RBL whitelist in Postfix? In
> >> The Netherlands we have an NL-Whitelist, which contains the IP's of all
> >> major ISP's. By using this whitelist one can make sure that accidental
> >> automatic blacklisting won't disrupt regular email traffic.
> >>
> >> I had something like a permit_rbl_client directive in mind, that could
> >> be placed in smtpd_recipient_restrictions, right before the
> >> reject_rbl_client lines. Apparently there is no permit_rbl_client at
> >> this moment, is there any other way to achieve this?
> >>
> >> Kind regards,
> >>
> >> Erik.
> >
> > Postfix has no built-in support for DNS whitelists.
> > You can add support by using a policy service.
> > http://www.postfix.org/SMTPD_POLICY_README.html
> >
> > -- Noel Jones
>
> Thanks for your reply. I see that I could construct a policy service to
> do this, but it seems simpler and much more efficient to let postfix do
> this natively. It already has al the DNS-resolving code and whatnot, I
> would guess it shouldn't take much more than an extra negation somewhere
> to make it permit instead of deny.
>
> Wietse, is there a reason why you would not want a permit_rbl_client
> feature in postfix? If not, then I would like to hereby suggest this
> feature request.
> If you would approve the feature request but don't have the time and/or
> other incentive to implement it, I'd gladly try to submit a patch.
I understand what needs to happen when the DNS server replies that
the client is or is not listed, though I don't know if there is
any convention for positive whitelist replies.
What is supposed to happen in the absence of a valid DNS reply?
Is there a difference between SERVAIL, timeout, and so on?
I don't want to be swamped with bug reports that "postfix
has buggy access control".
The same issue comes up occasionally with name-based lookups
in Postfix access(5) maps. The usual recommendation is that
such configurations are fragile.
Wietse
