On 8/27/2010 8:36 PM, pf at alt-ctrl-del.org wrote:
Wietse:
> pf at alt-ctrl-del.org:
>> Noel Jones, August 27, 2010 3:56 PM:
>> >
>> >> On: August 27, 2010 2:23 PM, I wrote:
>> >>> Is there any known policy server or add-on, that
will change
>> >>> the tempfail action after a couple of hours, for
things like
>> >>> reject_unknown_client_hostname and
>> >>> reject_unknown_client_hostname?
>> >>>
>> >>> I guess it would be an adaptation of greylisting,
>> >>>
>> >>> Anything like that out there?
>> >>>
>> >>
>> >> Well, the first half was easy. I just made a few
minor changes
>> >> to the example greylist.pl.
>> >> My greyhelo.pl works from the example test of: perl
>> >> greyhelo.pl (bunch of attributes)
>> >>
>> >> But how to call it, only when a client fails
>> >> reject_unknown_helo_hostname?
>> >> The following does not work:
>> >> unknown_helo_hostname_tempfail_action =
check_policy_service
>> >> unix:private/greyhelo
>> >
>> > You'll have to call the policy service for each mail, and
>> > recreate the reject_unknown_* tests in your policy
server.
>> > That's the only way you can detect temp failures.
>> >
>>
>> So I'd have to test for nxdomain, against
$attr{"helo_name"}?
>
> Postfix already replies with a 5XX for an NXDOMAIN result.
>
??
nslookup mailserver.jtl.co.in
google-public-dns-a.google.com can't find
mailserver.jtl.co.in: Non-existent
domain
NOQUEUE: reject: RCPT from
outgoing.jeevantechnologies.com[61.12.114.170]:
450 4.7.1 <mailserver.jtl.co.in>:
Helo command rejected: Host not found;
proto=ESMTP helo=<mailserver.jtl.co.in>
postconf | grep 450
Wietse, I was looking for a way to do both temporary and
permanent rejects.
Not one or the other.
With unknown_hostname_reject_code set to 550, NXDOMAIN hosts
will be rejected, and temporary error hosts will get the
unknown_helo_hostname_tempfail_action (default
DEFER_IF_PERMIT). So you do get both.
Default to a temporary reject for temporary errors, then
return a permanent
reject to a specific client after x attempts or x hours.
Greylisting gives a default defer, then dunno after x minutes.
I was thinking along the lines of default defer, then reject
after x
minutes, for reject_unknown_helo_hostname clients.
Any kind of counting will need to be done in a policy server.
Maybe you can cheat and only pass the clients that tempfail to
the policy server, try this:
# main.cf
unknown_hostname_reject_code = 550
Hmmm, I bet the check_policy_service will need to be in a
restriction class... Continuing main.cf:
unknown_helo_hostname_tempfail_action = helo_tempfail_test
smtpd_restriction_classes = helo_tempfail_test
helo_tempfail_test =
check_policy_service foo:bar
where foo:bar is the policy service endpoint.
-- Noel Jones
