|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ANN] ShadeList: DNS-based white/blacklist policy server
From: Luc Pardon (lucp
skopos.be)
Date: Tue Feb 07 2006 - 11:49:25 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Victor Duchovni wrote:
> On Tue, Feb 07, 2006 at 03:36:45PM +0100, Luc Pardon wrote:
>
> One suggestion, the "-nd" switch should ideally be split into two pieces,
> allowing one to ignore blacklist lookup failures (matching default Postfix
> policy: some blacklisted mail will get in, but blacklist outages don't
> disable mail delivery) without also ignoring whitelist lookup failures
> (defer_if_reject does not break mail delivery).
>
> I would further recommend, that once the "-nd" behaviour is split into
> two cases the *default* for blacklists should in fact be to ignore lookup
> failures. Blacklists are attractive DDoS targets, and it would unfortunate
> to amplify the scope of such attacks by delaying mail delivery for all
> sites that use the blacklist under attack.
>
OK, good suggestions (of course). Thanks.
So, if the default for blacklists becomes ignore, I need a switch to
_enable_ a defer (-nd means 'no defer').
What if I changed -nd to affect only whitelist failure and added -d
for blacklists, so that it behaves like this:
* blacklist lookup failure: default 'dunno', override with '-d'
to return 'defer_if_permit' instead.
* whitelist lookup failure: default 'defer_if_reject', override
with '-nd' to return 'dunno' instead.
Simple, but maybe too confusing? Thoughts?
Luc Pardon
Skopos Consulting
Belgium
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]