[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dns tests in policytest

> Hi 
> 	I'm trying to setup policy tests, but unfortunately I found
> unwanted DNS tests both in mail_from and rcpt_to while
> connecting from net listed in smtp-policy.relay (_full_rights).
> 	It's strange calls to sender_dns_verify and client_dns_verify
> after always_accept checks. (rcpt_nocheck == 0 ?)
> 2.99.50-s6 with default smtp-policy boilerplate
> any comments ?

A lengthy background history:

	Originally I designed the facility to allow messages from
	trusted sources to be accepted without further analysis
	work on the MAIL FROM/RCPT TO addresses.

	After having seen how much junk our clients are pushing
	in -- misconfigured MAIL FROM, mistakes in recipient
	addresses...  -- we modified the system to have a new
	attribute for allowing absolutely trusted sources
	(or sources that can not be verified in time to be able to
	 allow flows of timely email: vger.rutgers.edu->nic.funet.fi)
	AND doing "accept but verify" in place of old behaviour of
	"accept without checks".

ChangeLog tells:

	* include/policy.h, smtpserver/policytest.c, smtpserver/policytest.h,
	    Altered "relaycustnet" semantics a bit.  Even though it will
	    still allow unlimited inbound feed, it will at first fo DNS
	    verification on MAIL FROM, and RCPT TO headers -- accepts
	    recipients if said recipients have any DNS A/MX entry at all,
	    and likewise with sender...
	    Introduced new attribute:  "fulltrustnet +"  which can
	    be used in case there absolutely is need for not checking
	    input addresses (like in a very high-volume email traffic
	    in between vger.rutgers.edu and nic.funet.fi ...)

Within the lattest    policy-builder.sh   script there is a way
to add arbitary attributes to the defaults added by the builder

-----  smtp-policy.relay ----
[]/24	fulltrustnet +


[]/24	= _full_rights fulltrustnet +

And the result will decidedly allow a high-speed input without
any analysis operations online with the incoming smtp session.

> Sergei Fomin
> hostmaster
> --
> RIC Velton.link                            Kharkov, Ukraine
> phone/fax: +380(572)149941      http://www.vlink.kharkov.ua

/Matti Aarnio <matti.aarnio@sonera.fi> <mea@nic.funet.fi>