I'm giving a try to the newer whitelists DNS lists, like SWL/DNSWL.
But i'm a little in doubt on where better inseert the check. In my
setup, on the acl_check_rcpt ACL, i've some whitelist (authenticated
users, postmaster whitelist), then a plethora of black checks (headers,
RBL, SPF, ...) and then the final check that use callout to internal
server:
accept
domains = +local_domains : +relay_to_domains
endpass
.ifdef CHECK_RCPT_GIVE_UNKNOWN_USER
message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}}
.else
message = unrouteable address
.endif
verify = recipient/callout=defer_ok
Ok, i can add as the last white checks just before the black checks, a
rule like:
.ifdef CHECK_RCPT_IP_DNSWLS
accept
hosts = !+relay_from_hosts
dnslists = CHECK_RCPT_IP_DNSWLS
log_message = $sender_host_address is whitelisted at $dnslist_domain ($dnslist_value: $dnslist_text)
.endif
but this rule clearly does not perform callouts, so i will generate
bounces with the internal server and not rejections of recipients.
What is better to do? dupe the callout check (that are cached), define
a sub-acl to use as override for the black checks (as for debian
acl_local_deny_exceptions)?
Many thanks.
--
Il computer è come la morosa:
meno ci mettono mano gli altri e meglio è! ;-)
(Enrico)
