Am 14.02.2015 um 23:23 schrieb LuKreme:
On 14 Feb 2015, at 05:27 , Reindl Harald <h.rei...@thelounge.net> wrote:Am 14.02.2015 um 10:40 schrieb LuKreme:On Feb 13, 2015, at 5:42 PM, Benny Pedersen <m...@junc.eu> wrote:problem with lists is that a spammer just create a new free domain and spam with it, so be in front, list all as spam until it known not to beIn this specific case,the list is a list of known domains that will pass whitelist_auth, which means you can blacklist them and when they pass auth, they magically get through. As Dave Pooser posted:whitelist_auth *@bankofamerica.com blacklist_from *@bankofamerica.com I score blacklist_from at 80 points so an address that's both blacklisted and whitelisted will be effectively whitelisted, thanks to a net -20 scoreWhen BOA sends an email, it hits the blacklist and gets a score of +80, but if the mail passes whitelist_auth (meaning it’s really from BOA), then it gets a -100. So anyone who is not BOA ends up with a score of +80. It doesn’t matter how many random domains they create.and when BOA makes a mistake in their DNS (typo in the SPF as it happens way too often ending in PERMERROR which is *not* a reason for a reject) or other DNS issues are happening you would block all legit mailIt would block THEIR legit mail until they fixed their DNS.
but wrongly, that deserves only a low scorefrankly they could remove the SPF record at all which is THEIR decision and you would block legit mail to YOUR users until you fixed your from that moment on wrong configuration
in other words: you make your mailserver to a gambling machine with such rules as long it's not for domains you maintain and can be sure that DNS works unconditionally (no internet and foreign ISP involved)I wasn’t suggesting you implement it on your machine
it don't matter what i would do others reading that thread may think it's a good idea > I suppose I could set a temporary score for whitelist_auth of > -0.1 and see how many hits it gets int eh next month or two maybe you still did not get the pointany network error between your resolver would result in block mails while a spf-policyd in such a case would respond with a *temporary reject* and that is what makes your config to a gambling machine
* incoming connection * the blacklist rule fires it's score * temporary DNS error -> the whitelist rule don't fire * mail got rejectedsuch a setup is only reasonable when you are the only user of the server, from the moment on you host other peoples mail it's a nogo
signature.asc
Description: OpenPGP digital signature
