Milter-greylist

Hello

I've just checked the new cool feature into the CVS (reminder: get it by
cvs -danoncvs@...:/milter-greylist co milter-greylist )

Now, ACL can cause URL lookups. You use the like this:

urlcheck "mytest" "http://www.example.net/mgl.php?rcpt=%r+ip=%i"

acl greylist urlcheck "mytest"


For each ACL evaluation will spawn a request to 
http://www.example.net/mgl.php?rcpt=%r+ip=%i, with 
%r replaced by recipient e-mail
%i replaced by IP address
You also substitute domain, sender address and helo string. Check the man page.

The mgl.php script is to answer if you get a match by sending back this:
milterGreylistStatus: Ok

Even better, you can send settings in the reply:
milterGreylistStatus: Ok
milterGreylistDelay: 1h

autowhite, code, ecode, flushaddr and msg can be overloaded. You can even
overload the ACL action (ie: turning a greylist ACL into a blacklist action),
see the man page for details.

That's extremely powerful, and would even allow reimplementing the greylisting
database outside of the milter itself :-)

Something to note: the reply format is LDIF-like. It was chosen so that
the URL could be a ldap:// query, though I have not experimented that yet.
Feel free to give it a try and tell the list if you get some succes. Of course,
returning milterGreylist* attribute means adding a schema, and as I unserstood,
it probably means getting an OID from IANA. Help is welcome here, I'm not
very experienced.

If you have other good ideas for using URL checks, I'm interested. I'm 
heading the LDAP way to make milter-greylist settings user-switchable in
real time, but I'm not sure it's the easiest way to go.

If you are willing to help milter-greylist developement, here is my TODO 
list. Feel free to pick an item (especially the documentation stuff, it
does not require programming skills):
- Update (rewrite from scratch) the web page
- Document more URL checks in README
- the LDAP stuff
- time clause in ACL (eg: tempfail anything outside of office hours)
- RCPT-stage ACL vs DATA-stage ACL
- Custom reason strings from URL checks for X-Greylist 
- message body match clause in DATA-stage ACL

-- 
Emmanuel Dreyfus
manu@...

Emmanuel Dreyfus wrote:
 > For each ACL evaluation will spawn a request to 
 > http://www.example.net/mgl.php?rcpt=%r+ip=%i, with 
 > %r replaced by recipient e-mail
 > %i replaced by IP address

Does it support HTTP keep-alive connections?  If not, then
you should consider adding it.  It reduces the overhead
considerably.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

It's trivial to make fun of Microsoft products,
but it takes a real man to make them work,
and a God to make them do anything useful.

On Wed, Dec 06, 2006 at 05:34:46PM +0100, Oliver Fromme wrote:
> Does it support HTTP keep-alive connections?  If not, then
> you should consider adding it.  It reduces the overhead
> considerably.

libcurl allows using persistant connection, but using them is a bit
tricky: we want to use the same connexion for multiple message, which
are handled by multiple threads. 

The way to go is probably to have a dedicated thread for performing
libcurl operations. Not a big deal, but there is some work to do. I'll
leave it to a volunteer for now...

-- 
Emmanuel Dreyfus
manu@...

On Wed, Dec 06, 2006 at 05:34:46PM +0100, Oliver Fromme wrote:
> Does it support HTTP keep-alive connections?  If not, then
> you should consider adding it.  It reduces the overhead
> considerably.

I thought a bit more about it and it was not so hard to implement.
I just added the feature, check it now in CVS.

The urlcheck definition has changed a bit:
urlcheck "test1" "http://www.example.com?rcpt=%r" 10

The trailing 10 is the maximum  number of simultaneous connexion you 
want to have.

-- 
Emmanuel Dreyfus
manu@...

I've been over the documentation and the mailing list archives, and 
there's something I still don't understand.  What form do the entries in 
sendmail's access DB take, to whitelist an IP address?  I've been trying
something like this, without results:

greylist:192.168.202.1	WHITE

    Any hints would be very appreciated.

On 12/19/06, Mike Loewen <mloewen@...> wrote:
>     I've been over the documentation and the mailing list archives, and
> there's something I still don't understand.  What form do the entries in
> sendmail's access DB take, to whitelist an IP address?  I've been trying
> something like this, without results:
>
> greylist:192.168.202.1  WHITE
>
>     Any hints would be very appreciated.

Can you be more specific?  Are you really editing a Sendmail
configuration file?  If so, then this is probably not the right list.

Or are you trying to edit the /etc/mail/greylist.conf file?

John

John Villalovos wrote:
> On 12/19/06, Mike Loewen <mloewen@...> wrote:
>>     I've been over the documentation and the mailing list archives, and
>> there's something I still don't understand.  What form do the entries in
>> sendmail's access DB take, to whitelist an IP address?  I've been trying
>> something like this, without results:
>>
>> greylist:192.168.202.1  WHITE
>>
>>     Any hints would be very appreciated.
> 
> Can you be more specific?  Are you really editing a Sendmail
> configuration file?  If so, then this is probably not the right list.
> 
> Or are you trying to edit the /etc/mail/greylist.conf file?
> 
> John

You'll need to whitelist the specific sender in /etc/mail/greylist.conf.

If you want to do clever things like use RBLs in sendmail but still 
whitelist IPs in sendmail's "access" file, you'll find helpful 
information in:

   http://blue-labs.org/howto/access_hints.php

You'd need to use FEATURE(`delay_checks') in sendmail.mc to do this.

Cheers,

Phil

I don't think you need to do a makemap when changing
access , restarting sendmail will pick up the changes
and let you know if there any serious problems 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Yfan wrote:
 > I don't think you need to do a makemap when changing
 > access , restarting sendmail will pick up the changes
 > and let you know if there any serious problems 

No, you need to regenerate the access.db file, so you must
use the makemap command.  (Some operating systems provide
a Makefile which does the job, so simply typing "make"
might be sufficient.)

However, you do not need to restart sendmail, because the
new access.db file will be picked up automatically.

Best regards
   Oliver

PS:  This is off-topic on this list.

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

$ dd if=/dev/urandom of=test.pl count=1
$ file test.pl
test.pl: perl script text executable

On Thu, Dec 21, 2006 at 04:53:11AM -0800, Yfan wrote:
> I don't think you need to do a makemap when changing
> access ,

You *do* need to "makemap".

> ... restarting sendmail will pick up the changes

Using "makemap" avoids having to restart sendmail.

	Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/