[milters] Archive

Lists Index Date Thread Search

Article: 1388
From: Steve Freegard
Date: 2007-01-08 14:47:55 -0500
Subject: Whitelisting on RELAY entries in access-map

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Hi All,

I wanted to bring up a general point that is common to all Snert milters
to see what others thought about this.

Currently all the milters treat a 'RELAY' entry in the access-map as >
OK == whitelist - this is fine for the most part, but on occasion it
leads to undesired results.

For example - I prefer putting domains that I relay for into the
access-map with a tagged 'To' entry as I can avoid the necessary restart
required if I were to put them into the 'relay-domains' file.  For example:

To:domain.com		RELAY

However - this will then mean that the Snert milters will whitelist all
message to this domain, definitely not what I intended.

I was wondering what other people think about this and whether or not
there might be a better way to deal with this.  Note that putting:

milter-<name>-To:	SKIP

Does cure the problem, but that means that all tagged 'To' entries will
be ignored, not just the RELAY result.

Other examples where this can be problematic - consider that you use
milter-link and allow some machines to relay through you but the
machines could easily become infected, you have:

Connect:1.2.3.4		RELAY

In your access-map, this results in the host being whitelisted through
milter-link.

Maybe it should be considered to optionally ignore RELAY entries and
require that if this functionality is required, then a specific tag is
used instead e.g.:

milter-link-Connect:1.2.3.4		OK

Or a generic tag for all the Snert milters e.g.

snert-To:domain.com			OK

Thoughts??

Kind regards,
Steve.



Lists Index Date Thread Search