[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?



On 7/12/2011 3:33 PM, lee wrote:

> Yeah, when you know in advance from which IPs you don't want to receive
> mail, you can lock them out before they can contact the MTA.  Isn't that
> something that could be done with your table?

One could probably configure fail2ban to add IP addresses from which
this table rejects mail into iptables rules.  But you'll run into
problems after a reboot when iptables is loading over, say, 1 million IP
addresses, if it can even handle that many.  I'm not an iptables guru.

Given the efficiency of this table is both memory consumption and
processor time, both of which are tiny, I don't see any benefit to doing
the IP blocking at the kernel level.

> Spamhouse blocks you even when you haven't done anything wrong and then
> refuses to remove you.

Please share your correspondence with Spamhaus that proves what you
state.  After a loaded statement like this you really need to show evidence.

> And as I said, I don't want others to decide about what mail I can
> receive and what not.  How would you like it if the postman supposed to
> deliver your snail mail would decide by his very own rules which of the
> mail addressed to you he delivers?  Email is the same, I don't want you
> or anyone else decide what mail I can receive and what not.

Huh?

> It is much different.  The difference is that it is my decision how to
> use these tools and how to configure them.  When I decide to use a
> blacklist like Spamhouse has, others decide who's blacklisted and who's
> not, and that's a decision I have no saying in.  I can either use their
> list or not and don't have any control over the list itself --- but I do
> have control over how I configure spamasassin.

If you're using SpamAssassin then you're already using 5 dndbls,
including Spamhaus Zen.  It's the default configuration.  You didn't
mention manually disabling them, so apparently you use them.  You
probably didn't even realize it.

> That doesn't say much without knowing how much mail is running
> through.  It's nice that you don't need graylisting and Spamassassin
> since graylisting introduces delays and Spamasassin can be troublesome
> on resources.

And mail flow won't tell you anything without knowing the hardware specs
and line speed.  That's a bit deep for this discussion.

> Well, I see that very differently.  BTW, is there an RFC yet that makes
> having a static IP a requirement for sending mail?

RFC or not, the static IP for MTA train left the station many years ago.
 It's been BCP for many years now.  I'm sure MAAWG and other such bodies
have this covered in their docs.

>> Only bot infected PCs do that.  This table targets residential type
>> rDNS strings, which identify the PC as being residential, or less
>> commonly, SOHO.  In either case, they should be relaying email through
>> their ISP's mail relay, which we state in the reject messages in the
>> table.
> 
> That's a decision you made, and it's an example for a case in which the
> decision of what mail I want to (or, rather, can) receive would be made
> by someone else.

Have you even looked at the file?  You can replace every action with a
PREPEND if you so choose and use this table strictly for scoring.  You
could also do selective greylisting with it, or any number of actions.
The actions that ship in the default file work extremely well.  As the
file states, you are totally free to modify it and use it in any way you
choose.

It's becoming pretty clear you don't currently, and probably never have,
managed an MTA.  You speak strictly from an end user POV.  Which makes
me wonder why you've jumped into this drifted corner of this thread in
the first place.

You claimed to be a Spamassassin user, yet you didn't know it uses
multiple dnsbls by default.  You claim to want to make a personal choice
whether to accept or reject each and every email that arrives, which is
simply silly for anyone to do but an end user.

-- 
Stan


Reply to: