On 3/15/2010 3:39 PM, Victor Duchovni wrote:
On Mon, Mar 15, 2010 at 03:29:46PM -0500, Noel Jones wrote:
I suppose the "failed DNS whitelist lookup" problem could be mostly avoided
if the DEFER_IF_REJECT flag was raised on lookup failure. That would allow
known good mail to pass, and rejected mail would get a safety net. IIRC
last time we discussed this, DEFER_IF_REJECT wasn't invented yet (at least
not in it's current form).
With name-based white-lists (check_client_access with names rather
than addresses as keys) "defer_if_reject" is not a good option for all
anonymous clients.
With explicit DNSWL lookups, indeed "defer_if_reject" is acceptable, since
the DWL is operated locally or by a competent provider and persistent temp
failure of lookups is less likely. So it seems to me that this has cleaner
semantics than "check_client_access" with name-based "OK" results, provided
the DWL lookup-key is an address, not a domain name!
What do you think about extending rbl_reply_maps to accept
access(5) actions? That might be a suitable generalized
interface. Or maybe just too much rope...
-- Noel Jones
