Milter-greylist

Hi,

I'm a newbie, so please forgive me if I'm asking a stupid question.
I have already configured milters for smf-spf + opendkim + opendmarc.
I would like to whitelist automatically messages that pass the DMARC tests,
i.e. if there is a header that looks like:
   Authentication-Results: <hostname>; dmarc=pass ...
Anything else should be greylisted.

Is it currently possible to do this with milter-greylist?  If not, do you think
it would be easy to patch milter-greylist to do this?  Or is there a better
approach that I should be considering?

Thanks in advance for any help or pointers to appropriate docs,
Andy

'Andrew J. Schorr' aschorr@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> Is it currently possible to do this with milter-greylist?

No, because milter-greylist does greylisting at RCPT stage, and DMARC
header is only known at DATA stage.

>  If not, do you think it would be easy to patch milter-greylist to do this?

It depends what you call easy :-)

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi,

On Sun, Sep 07, 2014 at 07:42:56PM +0200, manu@... [milter-greylist] wrote:
> 'Andrew J. Schorr' aschorr@... [milter-greylist]
> <milter-greylist@yahoogroups.com> wrote:
> 
> > Is it currently possible to do this with milter-greylist?
> 
> No, because milter-greylist does greylisting at RCPT stage, and DMARC
> header is only known at DATA stage.

Thanks for getting back to me, but I'm a bit confused.  The man page for
greylist.conf says, in part:

   ACL using the racl keyword are evaluated at the RCPT stage of the SMTP
   transaction. It is also possible to have ACL  evaluated  at  the  DATA
   stage of the SMTP transaction, using the dacl keyword, provided the message
   went through RCPT-stage ACL, and possibly greylisting. Note that you cannot
   use the greylist action at DATA-stage if the RCPT-stage ACL that matched had
   a greylist action itself.

This seems to suggest that something like this might work:

   racl whitelist default
   dacl greylist default
   dacl whitelist header /^authentication-results.*dmarc=pass/

Am I understanding the man page incorrectly?  I'd also like to whitelist
emails from my local network, so I'm not sure how to solve that problem,
since such emails will not have the dmarc header...

> >  If not, do you think it would be easy to patch milter-greylist to do this?
> 
> It depends what you call easy :-)

I haven't looked at the code yet, but it seems from the man page as if the dacl
checks are skipped if the racl checks do not finish in a whitelist state.  So I
might want to patch the code to add an option to continue to run the dacl
checks regardless of the racl outcome.  I perhaps foolishly imagine that this
should not require huge changes...

Thanks,
Andy

'Andrew J. Schorr' aschorr@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> > No, because milter-greylist does greylisting at RCPT stage, and DMARC
> > header is only known at DATA stage.
> 
> Thanks for getting back to me, but I'm a bit confused.  The man page for
> greylist.conf says, in part:

Hey, you are right. Peeking as the sources I can see we support dacl
greylist. I just forgot it had been imlemented! 

Therefore you should be able to acheive your goal, using appropriate
order since for each stage ACL evaluation stops at first match:

   racl whitelist default
   dacl whitelist header /^authentication-results.*dmarc=pass/
   dacl greylist default

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...