1

Topic: Greylist Whitelisting via SPF

I've been manually updating whitelists for cluebringer by searching out published SMTP server lists from the major mail service providers.   It occurred to me that this was a very outdated method and quite labour intensive so I wrote a small Python program to create a more automated approach.  Manually updating data tends to be a task that is forgotten, too infrequently or postponed for higher priority tasks.

The logic is fairly simple and might be something worth adding to iRedMail's maintenance scripts.   Essentially it does the following:

* provide a list of top level domains to be whitelisted  (twitter.com, google.com, facebook.com, etc...)
* drop the current whitelist table
* create a new table
* get the SPF record for each domain
* parse the record for IP addresses and add them to the whitelist table, recording the source domain in the comment field, and ignoring duplicates
* parse the record for INCLUDE and REDIRECT directives and insert those after the current domain record

I've found it takes about 3 to 5 seconds to collect the valid servers for about 30 domains and rebuild the list.

With this approach you can run the update script with whatever frequency seems appropriate to pick up new servers for the major services.   I've also found this useful for whitelisting smaller SaaS providers like help desks, accounting systems, etc...

My script would need some refinement since I wrote it in Python3 and I hard coded my top level domain list, but I think the approach is sound and the logic fairly straight forward and easy to replicate.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Greylist Whitelisting via SPF

*) Would you mind sharing this tool?
*) How about checking SPF records when new email arrived? maybe store the checking result in database to avoid further duplicate dns queries. No cron job required, no hard-coded domain names. A local DNS server or a cache-only local DNS server helps a lot in this case.

== UPDATE ==

We plan to replace Cluebringer by iRedAPD, greylisting plugin will be implemented in next release. I added your suggestion in this issue to help track it:
https://bitbucket.org/zhb/iredmail/issu … reylisting

3 (edited by bmackay 2015-09-15 02:42:45)

Re: Greylist Whitelisting via SPF

ZhangHuangbin wrote:

*) Would you mind sharing this tool?
*) How about checking SPF records when new email arrived? maybe store the checking result in database to avoid further duplicate dns queries. No cron job required, no hard-coded domain names. A local DNS server or a cache-only local DNS server helps a lot in this case.

== UPDATE ==

We plan to replace Cluebringer by iRedAPD, greylisting plugin will be implemented in next release. I added your suggestion in this issue to help track it:
https://bitbucket.org/zhb/iredmail/issu … reylisting


I'm happy to share the code.   I emailed it to you moments ago so you can decide if and how to best include this functionality into the new iRedAPD greylisting mechanism.

As I noted in the email, this mechanism is only to prepopulate the white list and isn't intended to replace the real time discovery that occurs as new domains connect and trust is established.

Sorry for the slow response as I rarely have time to spend on the forums.