[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dns tests in policytest

To: serge@lincom.kharkov.ua (Sergei Fomin)
Subject: Re: dns tests in policytest
From: mea@nic.funet.fi
Date: Sun, 21 Jun 1998 22:23:38 +0300 (EET DST)
Cc: zmailer@nic.funet.fi
In-Reply-To: <19980621205053.33729@lincom.kharkov.ua> from "Sergei Fomin" at Jun 21, 98 08:50:53 pm

> Hi 
> 
> 	I'm trying to setup policy tests, but unfortunately I found
> unwanted DNS tests both in mail_from and rcpt_to while
> connecting from net listed in smtp-policy.relay (_full_rights).
> 	It's strange calls to sender_dns_verify and client_dns_verify
> after always_accept checks. (rcpt_nocheck == 0 ?)
> 
> 2.99.50-s6 with default smtp-policy boilerplate
> 
> any comments ?

A lengthy background history:

	Originally I designed the facility to allow messages from
	trusted sources to be accepted without further analysis
	work on the MAIL FROM/RCPT TO addresses.

	After having seen how much junk our clients are pushing
	in -- misconfigured MAIL FROM, mistakes in recipient
	addresses...  -- we modified the system to have a new
	attribute for allowing absolutely trusted sources
	(or sources that can not be verified in time to be able to
	 allow flows of timely email: vger.rutgers.edu->nic.funet.fi)
	AND doing "accept but verify" in place of old behaviour of
	"accept without checks".

ChangeLog tells:

	* include/policy.h, smtpserver/policytest.c, smtpserver/policytest.h,
	  smtpserver/readpolicy.c:
	    Altered "relaycustnet" semantics a bit.  Even though it will
	    still allow unlimited inbound feed, it will at first fo DNS
	    verification on MAIL FROM, and RCPT TO headers -- accepts
	    recipients if said recipients have any DNS A/MX entry at all,
	    and likewise with sender...
	    Introduced new attribute:  "fulltrustnet +"  which can
	    be used in case there absolutely is need for not checking
	    input addresses (like in a very high-volume email traffic
	    in between vger.rutgers.edu and nic.funet.fi ...)


Within the lattest    policy-builder.sh   script there is a way
to add arbitary attributes to the defaults added by the builder
script:

-----  smtp-policy.relay ----
[1.2.3.0]/24	fulltrustnet +
-----------------------------

Yields:

[1.2.3.0]/24	= _full_rights fulltrustnet +


And the result will decidedly allow a high-speed input without
any analysis operations online with the incoming smtp session.

> Sergei Fomin
> hostmaster
> --
> RIC Velton.link                            Kharkov, Ukraine
> phone/fax: +380(572)149941      http://www.vlink.kharkov.ua

/Matti Aarnio <matti.aarnio@sonera.fi> <mea@nic.funet.fi>

Follow-Ups:
- Re: dns tests in policytest
  - From: Sergei Fomin <serge@lincom.kharkov.ua> (Mon, 22 Jun 1998 00:32:06 +0300)

References:
- dns tests in policytest
  - From: Sergei Fomin <serge@lincom.kharkov.ua>

Prev by Date: dns tests in policytest
Next by Date: Re: Something strange...
Prev by thread: dns tests in policytest
Next by thread: Re: dns tests in policytest
Index(es):
- Date
- Thread