Hi, I'd like to encourage people to take more advantage of DNSWL.
I'm currently converting DNSWL entries into trusted_networks and using shortcircuited ALL_TRUSTED to reduce unnecessary processing. Also DNS checks are reduced. With only 'med' and 'high' entries, 15% of my traffic hits ALL_TRUSTED. I just also added 'low' to the mix, since it seems to have pretty much identical ratio with 'med'. It doubled the entry-count, so have to wait and see how much it helps. In future the list will be just getting bigger.. This should be quite safe, since the spam occurences that I see from whitelisted relays come mostly through some mailing-list things (poster IP should be in Received-headers, thus ALL_TRUSTED wont hit). Also there is some tiny amount of backscatter, but I use amavisd-new bounce killer feature outside of SA for that. Of course one could skip SA completely when receiving from a whitelisted relay. It would perhaps pass little more spam, but it would be the optimal setup performance wise. Getting this to work in SA requires some customizing due to some deficiencies. Don't try if you are not comfortable patching. You can use 3.2 and 3.3 (SVN). Memory usage is raised about 10-20MB. 1) Make sure your internal_networks is set up, so external checks (relay connecting to your MX and beyond) are done correctly. trusted_networks also needs to contain all the same internal_networks entries. This is basic stuff, check wiki etc. 2) To prevent helo and dynamic checks getting borked, you need to always run this after using sa-update: perl -i -pe 's/Relays-Untrusted/Relays-External/' /var/spamassassin/*/*org/* Some rules check untrusted when they should be checking external. Waiting to be fixed, https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856 3) So trusted relays are never checked in DNSBLs (like they are not supposed to), apply "DNSEval.pm fixes" patch for 3.2 or the SVN ones for 3.3 from https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5856 4) Comment out the offending line from NetSet.pm add_cidr(). Checking for duplicate entries is too intensive for big lists: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5931 (Note that it probably breaks exclusions "!1.2.3.4" if you are using such) 5) To optionally reduce unneeded DNS queries on shortcircuiting, you can use this hack: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5930 6) cf: priority ALL_TRUSTED -10000 score ALL_TRUSTED -10 shortcircuit ALL_TRUSTED on 7) Rsync dnswl data (see their page for info) and convert it: perl -ne 'print "trusted_networks $1\n" if /^(\d[^;]+);\d+;(?:low|med|high);/i' \ < generic-dnswl > dnswl_trusted.cf That's it.. if you are trying, maybe give a shout here how it works. It would be nice to see something like this built into SA in the future, possibly even distributing all the entries daily with sa-update. In the grand scale, I guess it would be easier to "enforce" users into this than expecting them to do it at MTA level. Resources and FPs saved for everyone. Cheers, Henrik
