On 31/05/22 1:44 am, Wietse Venema wrote:
With 'IPv4 requests' and 'IPv6 requests' did you mean:
- The type of the (reversed) client IP address?
Yes.
- The type (A, AAAA) of the DNS query and response?
Also yes, but only if that ends up being required by the IPv6 DNSRBLs.
At present all the ones I'm aware of answer A queries and are not
documented to answer AAAA queries, so this part can be ignored unless /
until it becomes an actual need.
I'll assume it is the former for now. We don't really need 128 bits
of resolution for reputation.
Right, but it's more up to which type of query the lists will end up
accepting than what our needs are.
What about the common case, if a site such as Spamhaus answers A
queries for both reversed IPv4 and IPv6 addresses, would it need
to be configured multiple times, once as an IPv4 reputation provider,
and again as an IPv6 reputation provider?
The case of having both default to $postscreen_dnbl_sites would cover
that, but we can keep that as a separate setting if you prefer. For a
given connection it would still only query once because a given
connection will never be both IPv4 and IPv6.
That would not be good. We could avoid that with:
postscreen_dnbl_sites (sites handling both reversed IPv4 and IPv6)
postscreen_ipv4_dnbl_sites (sites handling reversed IPv4 only)
postscreen_ipv6_dnbl_sites (sites handling reversed IPv6 only)
I would modify that to:
postscreen_dnbl_sites (no longer a real setting, but see below) IPv4/6
combo lists
postscreen_ipv4_dnbl_sites = $postscreen_dnbl_sites additional IPv4 only
lists
postscreen_ipv6_dnbl_sites = $postscreen_dnbl_sites additional IPv6 only
lists
If you prefer to keep postscreen_dnbl_sites then that's fine as well.
This is just a suggestion of how to implement it.
Also the smtpd_client_restrictions of reject_rbl_client and
permit_dnswl_client would require similar treatment.
Peter
