Am 02.03.2015 um 10:06 schrieb Steffen Kaiser:> If such plugin(?) is available, I would expect immediate complains, it > does not support: > > + local file lists with various sets of syntaxes > + RBLs with a fine grained response matching > + use the same RBL response for multiple match-action pairsor it could work just with no config, unconditional and in front of any authentication, frankly even without any response - connection -> RBL check -> close connection, done hence RBL's make sense in the core because *in front* of any other protocol specific code -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/b2ba9325/attachment.sig>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 2 Mar 2015, Reindl Harald wrote:> Am 02.03.2015 um 10:06 schrieb Steffen Kaiser: >> If such plugin(?) is available, I would expect immediate complains, it >> does not support: >> >> + local file lists with various sets of syntaxes >> + RBLs with a fine grained response matching >> + use the same RBL response for multiple match-action pairs > > or it could work just with no config, unconditional andtherefore I wrote, that I expect complains, if this feature would work like that> in front of any > authentication,what is that same as to place it as first passdb, with the overhead of parsing the config file and adding it into the passdb{} chain.> frankly even without any response - connection -> RBL check > -> close connection, donesome external RBLs return certain information in the response, e.g. 127.0.0.2 is less problematic than 127.0.0.1, so "I expect complains" this or that RBL is not working correctly ;-)> hence RBL's make sense in the core because *in front* of any other protocol > specific codeThat's TCP wrapper or a firewall, IMHO. (for a file list, not RBL). However, there used to be a RBL patch for TCP wrapper and some distribution provide other implementations of a TCP wrapper with RBL, if this post correct: http://grokbase.com/t/centos/centos/143mg1wxsj/does-anyone-use-tcp-wrappers-hosts-allow-hosts-deny-anymore - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVPQufHz1H7kL/d9rAQKC3wf/ZuStrHInsV3OkgDC5EDBeSyvMOxlskiy xCNUeAxaqPt4DvgCHnXmXX3V2yi+hXvsFyWhIBcsJcgUvbi0sJWwy7Undw2Fs6Cf iaOD3+u1VV+7IwiiZIMNMpUcDisj9Ic3DBoDTx9SeyBS09i7lKAVORZw486LooWX uTCMZOEmzH43DEfHxmIMPMcyQBF4b7kzc3A/sabpc70bhrJAV8E2ZNpPzIyAiC3A PwjUR+YfdYoorqz79ymmzcngsUUSAXfiUAhJpRyVOL2UiMurjROdsU5vSpXJm71j lgELgKpo6DkIjX+qAPVtdPu/J6cRLUcfvysNezU2vV9KpgJk97cwmw==2nvt -----END PGP SIGNATURE-----
Am 02.03.2015 um 10:33 schrieb Steffen Kaiser:>> hence RBL's make sense in the core because *in front* of any other >> protocol specific code > > That's TCP wrapper or a firewall, IMHO. (for a file list, not RBL). > However, there used to be a RBL patch for TCP wrapper and some > distribution provide other implementations of a TCP wrapper with RBLTCP wrapper is dying (more and more software in distributions is built without tcpwrapper support, more and more upstream packages remove support starting with openssh) and given that the author of tcpwrapper is the same person which wrote postfix if it would not make sense in the mail-daemon itself you can be sure it would not be in postfix one point is logging - frankly i want rejected mail connections in the maillog and not spread over the whole system logs EADSUP: OpenSSH 6.7 drops tcpwrapper support: https://www.cygwin.com/ml/cygwin/2014-08/msg00345.html https://rwmj.wordpress.com/tag/tcp-wrappers/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/b29e97ec/attachment.sig>
daemontools On 3/2/15, Steffen Kaiser <skdovecot at smail.inf.fh-brs.de> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 2 Mar 2015, Reindl Harald wrote: >> Am 02.03.2015 um 10:06 schrieb Steffen Kaiser: >>> If such plugin(?) is available, I would expect immediate complains, it >>> does not support: >>> >>> + local file lists with various sets of syntaxes >>> + RBLs with a fine grained response matching >>> + use the same RBL response for multiple match-action pairs >> >> or it could work just with no config, unconditional and > > therefore I wrote, that I expect complains, if this feature would work > like that > >> in front of any >> authentication, > > what is that same as to place it as first passdb, with the overhead of > parsing the config file and adding it into the passdb{} chain. > >> frankly even without any response - connection -> RBL >> check >> -> close connection, done > > some external RBLs return certain information in the response, e.g. > 127.0.0.2 is less problematic than 127.0.0.1, so "I expect complains" this > or that RBL is not working correctly ;-) > >> hence RBL's make sense in the core because *in front* of any other >> protocol >> specific code > > That's TCP wrapper or a firewall, IMHO. (for a file list, not RBL). > However, there used to be a RBL patch for TCP wrapper and some > distribution provide other implementations of a TCP wrapper with RBL, if > this post correct: > http://grokbase.com/t/centos/centos/143mg1wxsj/does-anyone-use-tcp-wrappers-hosts-allow-hosts-deny-anymore > > - -- > Steffen Kaiser > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEVAwUBVPQufHz1H7kL/d9rAQKC3wf/ZuStrHInsV3OkgDC5EDBeSyvMOxlskiy > xCNUeAxaqPt4DvgCHnXmXX3V2yi+hXvsFyWhIBcsJcgUvbi0sJWwy7Undw2Fs6Cf > iaOD3+u1VV+7IwiiZIMNMpUcDisj9Ic3DBoDTx9SeyBS09i7lKAVORZw486LooWX > uTCMZOEmzH43DEfHxmIMPMcyQBF4b7kzc3A/sabpc70bhrJAV8E2ZNpPzIyAiC3A > PwjUR+YfdYoorqz79ymmzcngsUUSAXfiUAhJpRyVOL2UiMurjROdsU5vSpXJm71j > lgELgKpo6DkIjX+qAPVtdPu/J6cRLUcfvysNezU2vV9KpgJk97cwmw=> =2nvt > -----END PGP SIGNATURE----- >